hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

27-09-2024 13:49

240927-q45laaxgne 10

27-09-2024 13:46

240927-q3bltaxfqc 9

27-09-2024 11:49

240927-ny4qpa1dkm 10

27-09-2024 11:43

240927-nvsh9a1bnk 10

Analysis

max time kernel
46s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 13:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

9^/10

defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2324	NetSh.exe
2764	NetSh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com
81	raw.githubusercontent.com
86	raw.githubusercontent.com
62	raw.githubusercontent.com
67	raw.githubusercontent.com
73	raw.githubusercontent.com
75	raw.githubusercontent.com
77	raw.githubusercontent.com
78	raw.githubusercontent.com
63	raw.githubusercontent.com
70	raw.githubusercontent.com
79	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
68	raw.githubusercontent.com
69	raw.githubusercontent.com
74	raw.githubusercontent.com
76	raw.githubusercontent.com
61	raw.githubusercontent.com
66	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1948	vssadmin.exe
1488	vssadmin.exe
600	vssadmin.exe
2936	vssadmin.exe
1312	vssadmin.exe
1552	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1752	1944	chrome.exe	31
PID 1944 wrote to memory of 1752	1944	chrome.exe	31
PID 1944 wrote to memory of 1752	1944	chrome.exe	31
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2808	1944	chrome.exe	33
PID 1944 wrote to memory of 2856	1944	chrome.exe	34
PID 1944 wrote to memory of 2856	1944	chrome.exe	34
PID 1944 wrote to memory of 2856	1944	chrome.exe	34
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35
PID 1944 wrote to memory of 2712	1944	chrome.exe	35

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7069758,0x7fef7069768,0x7fef7069778
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=676 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1944 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3088 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1952 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2248 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3384 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2260 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1180,i,5708933791327726179,11351854189762212093,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  PID:1928
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1948
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1488
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:600
- - C:\Windows\system32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2324
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2780

C:\Users\Admin\Downloads\Annabelle.exe
"C:\Users\Admin\Downloads\Annabelle.exe"
1⤵
PID:2624
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2936
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1312
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1552
- C:\Windows\system32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:2764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18030465535523293921750510251-1881919537-57881166112350743292057826247-153683307"
1⤵
PID:2948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8d6bcda4-7210-4a5c-b165-a60202a8b73f.tmp

Filesize
168KB

MD5
bc8c01d88b7b94e9ef39ce65c2032436

SHA1
b3027fed6e32f95d229a058d153f2a22a5bbe625

SHA256
0a21124bc09b6725833f58541097b651894051ba63e82da158c077de4feba692

SHA512
cd1ec542d836089fec774747ca49323fc3bf116b391be9e90ec24163951ede95bcc636bca9cb952c1a32bda616a53d1160a7c7e480afd75605982c583e5c26c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6987addbfcf1493da5539488988d8d7b

SHA1
24f53675667ce5c042bc47d8fa14057a114145ec

SHA256
22b9aa07e24877736b257341fcdde2a7f9fb7c0d5994abbaa2644146143d7dd4

SHA512
cda7790bc3b2c0081c6be7ea78fe1f353314f328fa94f2454e389a0dfed2457e712a8514a2dd495efedc3f86b46d6ecfd5972b6e071eb108b8bc65dd4677188a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d26a259b0cc42cd70b52a0eca50f33d5

SHA1
caeada9c41e625d15458e9fa4a536295b834d5a2

SHA256
8da547064e9a1122f49bcf2d3c104e21c52c67c929387068d82dd344760b8cb8

SHA512
a3684528fe2a3f72c558c8297fcaa94032c1bcc4be8d635767f4d60b2eaa6276773aff53a7f48055afeac18e0714094c8423b3c841e6ec5683b2f5a9ca760abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
847B

MD5
e7b3fa48c847810fba96b6090e73f2c3

SHA1
a4cc6e02331bb56d56f0e5d9890d3c98dd6d9238

SHA256
748fdfda15aa3d0f6de4d76eb0b8f82d740db08d4203bb21d88eda9cc75a51f8

SHA512
545dae8b06caf9c1ac1748b7a8ddac291ae3aa8ba12f1080e091678ada6df0f174f90d0bade6443517194f58290f16e350382244f327f1ab0a05c8c7f9df02ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1009B

MD5
03b1c963411edc7b621338a1a2941a9f

SHA1
b48ed8face9f61092a48fa474d3ebfc0df3a75a4

SHA256
05e8847c30ab85b8d4c5da7b727fec5c2b7a8eef81a5d7a2c7dec6f0b1666840

SHA512
b9d732149a1d12662364039ac100eb779e2c39f8feb0d41f0483a16cfc2f7a92c9bbbd5f348a9e900661816e4dadfbdce0bef14826139fb5f8d32f8bba078fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1009B

MD5
26578f0effc4a7b57d7cefd17303dc64

SHA1
34eb90d79d5d3b9a088eed2c0e70f5427eb2ed81

SHA256
49503839caeaeaf4f928a4b262f60d46860413f84e577e2bd0a7806a676cfcec

SHA512
251c3309d13816f2e32018a2a49dd67223adc8cfe77dee1788dba572c3e29d0421892f89fb37c75f0f906883f4d547377d4e49daacdcbd2b242a9ee8d29f5e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
f0937eb252bd59da5abb0675fdf4e718

SHA1
515321bd1ef8d972eb9be3b94120b0b07628967b

SHA256
80223b17cc7a129a6b058cf756e6b19632d1e7024adf6b42d4b42ab0b9449863

SHA512
735b4d3d86ab2b4a01434b52ea0b489336fdfece11f1664007708cdd8a1eb23d4349c3e32ebe9ff0d6598c78b61bff0fb9d0cebec08fba57e9911f340c65d157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
847B

MD5
6fc3d786208b79f455e9ab7ffd96c1d2

SHA1
f10c1b5a4c70388a06e16a2737271a13e4730a3a

SHA256
16f4380ac189952b6f7de8aec47b5ebcc18a18b1cd05375b984ee871a39c43a2

SHA512
30c0b27d7c8b39ee09e1d2600c08830f63e6f90c9a455ca969cc13bbb8511f2f51dd7c4af054e4ad99a5fee85641aca02731df8df7f0db85b92e035ceac607b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
72a8c8d26708a98cbb5881f216a7ae46

SHA1
b603a23a5cecddac0c17465e673c276de5a66b7e

SHA256
b1836a67e730a22024e17517ca944df8154e748061e9b7d8bf6d3f0dedcbd2bf

SHA512
1f5e4d22f06cb0af0fa6ba41a91630af61b023d67a70357c0397d3d853e0f7fed7e116b9bee9ffdc7e116ad22f4d690987367720367864e3f158c41da2cf8843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
02933c4463e97f59dcb513f9c3662813

SHA1
60f5dd314acf7e6e3d32b51e828124fc9bfbde25

SHA256
e45d2d82f854c167eea2a8b21d03719f95fd3a5d3d249c4308edccb6fb0ae2b5

SHA512
e6ab19b6137245b873ea04667ecab2b994f905780354cdf6a4a633527087a2c79cfd5d646719f992e70d923fede70af82a5b0ecbd17ad899c233ca3a3ee1fb9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3870c95664c324d67af22377a2cba3dc

SHA1
be52ced6d9f6f54d3277892952f647aa5f1b2c56

SHA256
706b8dd289ceb6b76e2073341677f87124058b49be994aa39a7fc0dc4cb9c114

SHA512
3807380a8b8f260d70ff6ffdabee19b75355a305608673668caca069a6becfa4d1edb5f416ab504e9829e582633974a0992b33b023952047665a9c716045a8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7add92110761bb6527997b80b08d01bc

SHA1
99eb87afd70dda4e93050eac0ab0cd819e5eee3d

SHA256
0510f4d896886a36ab04ef411b0528f869970390b1150096c3fafa7e810b9213

SHA512
d5b4ad8050e90470f0018a3d83a4787f23c410f4e1f57d251127881a11bf5e9582f35676af9c3c457463dc16a11efec48d41f5a4eaa2dd782872d3d7a5c3acb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8c9bf5bbd668eddcaf049bc39202427

SHA1
36cda03d50057df4669e286b6cf3d50b11040e03

SHA256
88143247f9facd99f25cedd5475a20eefb9e7af62d446427d86f9a19ff1ee088

SHA512
2c03c4ef426d6f0a5ffe7c828e07fae4946e03c940964c882cf4dd3dc6b63d363740268d672d3a28d7c508ef606850c81b82e4b079509b2a0e3acadc0bc4d797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
19110bd2b87088eb33f1c98b12afc36e

SHA1
df349fbf999eeef0023b0aef09d94d9575a22e92

SHA256
0ff2cc38657d0a5ca3c7b69a23791d4920c34bcbdff1363a9f6e127ca096d3c9

SHA512
9a4c295884a600cab96ef130eadc886305516ffb6d967da8fcd18776bee84820fe94ba2c258a304772622aef1cc6b9bba7b3514340a1c6941448e7aac2a6231b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
81KB

MD5
bce8283c7191c5ce48b31a1332ae4dc0

SHA1
3a340fe8b5bcc9316bab7b7f8c5a072c33a98fbf

SHA256
221997fa4d6e77a96374f1f33486d6e576793bfc284c81d2cfc8bcc717a18e30

SHA512
15856ac4cb3451379f0b10c831343f5755c050b25240a8df326d24e656e13932657435e319e1faefde1f0d8c7c51c038fec2d9dbe03508c0bacbc002e2747278

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE90A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE93B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\AssertGroup.doc.ANNABELLE

Filesize
769KB

MD5
e79bbaee1bfe9fa25ed92290abf42c69

SHA1
f2b61ea20a10d0a2b30dad74c81626c8837efbb8

SHA256
affea7871d0d6d886aa4c2e618ffe2edd2b0cf5dada0c3cea411616da526a2df

SHA512
4a4a86f14510df3bbd7895becbdc2323dd023b7080bb3056505cf99b7ea7079836a3056419c624191c40b71b77d4cfef0d1ae0b900378fe84b57180c6dff6f4f

Download Submit
C:\Users\Admin\Documents\BackupConvert.vsx.ANNABELLE

Filesize
830KB

MD5
37342969aa3b701616f1838cedbc0bf4

SHA1
a9a66bd8cbc81dc8e8f55a3b2e4b6fccbe6f3589

SHA256
72147eaad5688e9d784ad6b8e2fe6e5b7c8fd8740726fcb558eb0e8288682699

SHA512
d3b31f13c40bd2518b02445ec47c8a4ed4889cbbb9228bba23ff1482fc0b4e8a77c6873f990990215297802058232444930132b0af69ba1434ec810cda7fc88c

Download Submit
C:\Users\Admin\Documents\CheckpointDisable.xlsx.ANNABELLE

Filesize
649KB

MD5
f7be288d0598821b20f5baa31607850e

SHA1
6466734db458b38b2ccd330a10cf09a357bf6189

SHA256
5c7109b16b1b83e931046884b3696a946ac5ea44ee3026ef5d1cc8b3c7877cfe

SHA512
669d3bae5cef68b760718d5206ffa47e5b959138719c9c671c70c11a2c9a2b133c62c1257a9b74c4dcac85f60c85b9b6736bfd1a717a08d3f4b5fcd7b6af9834

Download Submit
C:\Users\Admin\Documents\CompareSync.csv.ANNABELLE

Filesize
709KB

MD5
cda0767b56857629dd6036796bf6716e

SHA1
be7e2e2389ee2b8ebb4d488d2af5cdf5eede5217

SHA256
30f2b2fcffcecc4897fb3ede7aa5c546b75ff72d08ad43ae11fd82e706f0dce4

SHA512
15155b95b2d97dc99e2870906021313d2a7ebf5701ddb63759397d5d2d14cdc607dacf7e8de04a2b4e09ebc28a6ab685f5e6ca906a3b408f9f99ce7d57866870

Download Submit
C:\Users\Admin\Documents\ConfirmApprove.mhtml.ANNABELLE

Filesize
437KB

MD5
221666381607b4cc9068c203c8cd0df6

SHA1
360fcb7a6a2cee3319e15b97d187d3f7a58cd4d7

SHA256
1bea299ba1e0b426b93e0f8f055c679bf616fa8583cdb8154bc802470f40cfff

SHA512
f4e01e1b34440e0d7441d27ef2658bbe12f3e231161d6c36857130a65a7160016eeb46bd3dcc44823a85d77c8ee2f3b535a1ac80044f5c9c706065843f69066d

Download Submit
C:\Users\Admin\Documents\ConfirmSave.txt.ANNABELLE

Filesize
588KB

MD5
2b439cf90ccf8c5dae0161e9bdff4c83

SHA1
4c52522216875794771f39edbf099031eb2b844b

SHA256
ea3644e45bf54e36d571e954fe37e98ce94622f12a9386328e2766011e923258

SHA512
aba65549e83cea0327f4ccc051d037c35517e2b98012fb022693e29a90d768dbdf7b55dd27ccb6936d399fa0e6bb30780f05d492a17b2c1775d1c32d38f0d764

Download Submit
C:\Users\Admin\Documents\ConvertToSplit.rtf.ANNABELLE

Filesize
679KB

MD5
b01b0a9f8f297de0fe8bc6ba0dadb730

SHA1
177727af82fbedfff3de1167b6291083ca5b8847

SHA256
ee567e2405ac4352c12ff1af52be05a208c9cf12650d12501d34e806ca311638

SHA512
342a6fc541f60c84fb71949151731a6a5e107327b5613c6c6bec66c682683ac39e1faa9d49b0a999ab44d986764c1a963a0eb99a7c696ad1f9b350642f3cc1d7

Download Submit
C:\Users\Admin\Documents\CopyUnregister.csv.ANNABELLE

Filesize
739KB

MD5
a4ff66573b06a2f0127ff9ed26a951c0

SHA1
c2f6a4e02a1c32b9aedb430018b0a256cba466d5

SHA256
efd2fb8ccdb3c1d180a990f71129bacdbf8d97171f1b052c3e695045a9454b98

SHA512
575203b490d476807faf09d2f7a955b20cc92c90cdb061929f850a20fe32b5533776e8b37f767ae8eb9d5f1f1cdebcfa11874d76112f4642e81d1955bade1fc6

Download Submit
C:\Users\Admin\Documents\DenyShow.xlsx.ANNABELLE

Filesize
12KB

MD5
9e0b71ea5c8d9f459c323239bfe2366f

SHA1
c6f2e605ad24969a4ac17c8405ac011e893d8a6a

SHA256
7d917a3671f84bd19b96b1cc0c714385f3e5db7ce66cc6c21121514c482e86e5

SHA512
6f5784a1446c72b602e0ea741efdb67fa9d9d82d9dea3e1cb4aff097b2279e0116f80764d75ec06a52dad9c9168cd8664025232564f52d306760a5d357bd64c6

Download Submit
C:\Users\Admin\Documents\InstallLimit.ppt.ANNABELLE

Filesize
528KB

MD5
bfa70a0fc95035745e0d4495516e724a

SHA1
4b14005fc1655cffd2a7fae1a5ef2e0dc88943cc

SHA256
444f918a0e76e4ec26c5870493bc1acfc1964463fb57b27bf56ce9168b678f46

SHA512
bdd9722c68556be7aac6c4abcf35746d06cb4a7462e7b7087784568e87687ccd2ccbd7d357455cb51af88548ebeb4807fb1b687969c3525cdcab055dc8083fc3

Download Submit
C:\Users\Admin\Documents\InvokeReset.mpp.ANNABELLE

Filesize
890KB

MD5
a92a095fe14003c12daf7a1620a699b3

SHA1
888f4f76346b3ee5822b0e177579af12ce66e1f7

SHA256
07e1f86c6b5754b6bb6313e8d542b279218e7485f238bbfef3431743cc25ccf9

SHA512
31ba72c1b75629d3cc902552b8a44bdb06ccd68bf055383500015e4823d4d0f2cc43fca899beaa0f37e9fbaea370170912b7431a9f4a0df2441d359ff518a5a0

Download Submit
C:\Users\Admin\Documents\LimitFormat.docx.ANNABELLE

Filesize
18KB

MD5
33804e018e9e0900064c243602de3c2a

SHA1
a21371ed1287b0ea2165209dbad4b098885e161d

SHA256
e32a7789bda8b48078d394dc6fa50c378792d0a390f86b17d2fad76b7ff4ca84

SHA512
394e640af8c88c28e778961bacef24e9e803f192e266a16d4a9239d5438f7f08be69771c92fa8bddfc1234f81bb4e6c1650ebd2ceff8915a3023538a69cff322

Download Submit
C:\Users\Admin\Documents\PopRemove.dotx.ANNABELLE

Filesize
316KB

MD5
849b11b4ae5df0b499be9d0528687e3b

SHA1
4f0669f2e684ab08a4ff43e476f6de290dd66ce0

SHA256
f75c9711bab0b07d7b47a1e7f0c999f08320990389bf31acaa2e74d125de764c

SHA512
42dc9bbcda7827b60ef63a450bef3c8357d2a571ba33969a838384f0dd4070a0f7335d36be9e1134b5237426b6d4e7bdc1155e64509c9e6272ba5f9205b6931c

Download Submit
C:\Users\Admin\Documents\PushResolve.xlsx.ANNABELLE

Filesize
10KB

MD5
dc36c3a475cbf5daaf9ab3bc23ff0455

SHA1
b49ab19860b7ab8a7db6f35157cf4709e526f2f8

SHA256
61d72969565f2cc566ce46eb470fd0c9257fad40b439951493c043b9a460ff39

SHA512
b6e83d7618bb5201755dfddcc826429bb7a4716a73232f6fb62f7e48e46689a7220bf6d11995a0337914042ec261636a41d5c3cd4b853117aab5868ee5ba0642

Download Submit
C:\Users\Admin\Documents\RegisterDismount.xls.ANNABELLE

Filesize
558KB

MD5
12d9c6067f25eb91f7f3633767eae6fa

SHA1
44897197512206392ea2f6181622c28b97ed9e9d

SHA256
e0bbf551b46e775053a802a08742042714389ed5c6755be2ac3affe60e517364

SHA512
2d4aa107d2eedfbc6857e78a0333e910a5ab2daef258de5d589100dd5cfd786452a75db98ed27fdf60a39e57ab33652da57886d2126bc8f48e38b505228d9d9a

Download Submit
C:\Users\Admin\Documents\RestartResume.potm.ANNABELLE

Filesize
618KB

MD5
d0b4d2fe98712c2c80006c14e798946e

SHA1
99720d5571fb0676b19c1c6a14dbcebe452e20a1

SHA256
d1803a526a99c04371dabd9b0f34a284a765171ce179fdce195933b11045b2d8

SHA512
41fd76eb61e5dbd713664590a6e49ef0b040189954a40b9820544cc8e92e37096b22726caa79ca53f32522e338262fe090cf1fd7fec1457a6754619b27f19f7e

Download Submit
C:\Users\Admin\Documents\SearchGroup.xlsx.ANNABELLE

Filesize
1.2MB

MD5
53b8f8e0c356b0de2b1fdd429075943c

SHA1
69160339d27e1dfe396aa8aa348527bf20416477

SHA256
af1c7fe87bcba71a6e3ab1edece8334212a98688a453b12518f53d0be300eed9

SHA512
af32dad6bc082fdb471419d7b443749d136fc8205c3b72617d238efb6a0b51a6810cf9f42e3239f4fa9952220b5f15b1935cd8a7e71f79c24794be9bbf921c0c

Download Submit
C:\Users\Admin\Documents\ShowUpdate.docm.ANNABELLE

Filesize
467KB

MD5
6b45aa7eac31d5b4e669839510eaa22d

SHA1
a990af9b066c8f23bb20016a063cf1291b9b6a46

SHA256
1e679b2554133ec0f873bdec31a3bac65ce77a782bed79ca083634281bdc053c

SHA512
ccc99da51a57b0bcd604b3d71aa598abe2e040339e5b018e2776175f4fd05716db255b32ee2a9bd191271a505e4473f36078d22626f7b4f6934d472216b8dc37

Download Submit
C:\Users\Admin\Documents\StepConvertTo.pot.ANNABELLE

Filesize
407KB

MD5
df780b5ccd936bbbb5412267b5667cd8

SHA1
51111295b9e9107c7d65ddac55f5f311c669423f

SHA256
3937e4959d0ffd6605608934d29531394bc53b47c410a1c6e7187755b26ca12f

SHA512
58549dfe5b99d9d8222ff254946a507df5a7ff42606e06515d7eb3e1cea326353b0bd84667a70b314d8feb086e0eb110d5ef363c06bc3420f5c5dcc16945315a

Download Submit
C:\Users\Admin\Documents\StopSuspend.vsd.ANNABELLE

Filesize
860KB

MD5
cd293245a5e86b10351528fb178deed2

SHA1
a0462a17d3abe5874a8b41db8416dc148c44ca54

SHA256
b2f887e28174e3e0759e279d966f7f7671f2979122cbd279e5645ad1d6fb59a3

SHA512
627309bd135ad0b16d5528374debe0227a7e974f532eaa5a15b55d6afe23d37e5144f971e916ff93c3317c33bfb961069e5af8b906f500c9080b07a01a4ef803

Download Submit
C:\Users\Admin\Documents\TraceWatch.potx.ANNABELLE

Filesize
498KB

MD5
29a4604c2a9802b28b8d46bc18122613

SHA1
22e412445107f010a61f663a533f3b56a44ae814

SHA256
10c8b1f23618e91830bb5850ca0aaa71ec265da07b974dccb45560e8fb1eb521

SHA512
bb3fc7fb8d76e6c0a6017602190f35cb50492e69537567381275c37fd95b3dab9506d44a3daf2641f9e7681d08368b8acac30673c5fd644794d860ec8d23fe77

Download Submit
C:\Users\Admin\Documents\UnblockCopy.pps.ANNABELLE

Filesize
377KB

MD5
0d502a5031b071c98053f8f185011e2c

SHA1
dacf78185958ac714265648e360ecd0a6776f3c3

SHA256
2e4380e774828e6b0e42ec92af78d1107c315e0fc4d462baa7be5c94e86c222a

SHA512
198ba587b925afe70d757f53a2adc80478e11042abe43d974548df88b0f05c39fa904781b0fc529651912ea0377c4a20730c1cd7e31c152b32a3eca297cbe358

Download Submit
C:\Users\Admin\Documents\UnregisterUpdate.xla.ANNABELLE

Filesize
347KB

MD5
754ab640a700f127611e906d3593ad08

SHA1
7cfebdb0d8f32f978197aa025aae0745ab0bd849

SHA256
251f3a0c8872d99c33b958f0ba557bf8fecc7a59c93b694deb41db56fa5db1d2

SHA512
e1a429c26752f766b9231df6f2d19f290a68f863d8b8f738e2bfc7a7a6244c0d78f4358a4eac55251af2bd6126e01b59fb5598f8f8cd6b13f4033d2a4bb662c1

Download Submit
C:\Users\Admin\Documents\WriteResume.vsw.ANNABELLE

Filesize
799KB

MD5
524af7e0729ddcebba301bbfb2b16d60

SHA1
b980b18e60e539f3e8638088140cbb59ab93df83

SHA256
d44d36d6b0c1953cd45f3bd9b665a97a428528ad65a37ff94390a202965cf63a

SHA512
c8f52f2b370c0e32918a933c121e5253ed942bb609143ad58314836ccc250af72817dcfa5117e7ea8b6e370ce90f38da01b7ace592166f3a822c803fe273515e

Download Submit
C:\Users\Admin\Music\ApproveProtect.xps.ANNABELLE

Filesize
246KB

MD5
c901d4615e68b5ca206e09be59d4a179

SHA1
36a54fa80e48ed46692c509b85f213e5393bf356

SHA256
309f0a5793e422bc78c670024e2f5bd162f554ac88ad6d6411fbb423e22f4777

SHA512
25cc26d4958c2d4783ea7aba89fee9275ae4291c3193af34bfe59b474e919df3cc6f43e5b21ea899ac435a66b72918f09fcd0308b21dca2f36ff31b9b1ce951d

Download Submit
C:\Users\Admin\Music\BackupSend.mpe.ANNABELLE

Filesize
256KB

MD5
c7fc3a187ae03f36617fbc59fb9b0a25

SHA1
e84d9bea4a0b285d032a0d745a457cc2908895e1

SHA256
56405fb55670041b9af576b85ed36e409147a1c95bcbe7607f59a05941223a9c

SHA512
a70818ad9d6902c928dc7db13193dee6644de050c38183f72b2e890830fe39c9be527cb395a056a1ee07844b85a325e8e598ca0d4072cda5122536d5417b5226

Download Submit
C:\Users\Admin\Music\CompareRead.wav.ANNABELLE

Filesize
359KB

MD5
c38772b58cf64e39b56e7fe1847c865f

SHA1
46ab0b92f3782f9c2ed9d8d6c82672cf813ef53a

SHA256
232800338ff6eb6c7e619c8fe8f83e0cf8a64aa00d8bc1c4b28c3e4e0d61ca2b

SHA512
90db211e1bf37534b01ba8e29441ee54879eb8f2fdd74d29cf0ab73a936d3de7b3bf990476c207bb4599326a218816603fe1bebf2572a8329951d19e29de9a87

Download Submit
C:\Users\Admin\Music\CompleteEnable.wma.ANNABELLE

Filesize
287KB

MD5
3d56930c29b04001c2e5147cb02e9e5c

SHA1
4e54a5dc98c61f8588ba52c7d5ab904c41d802e7

SHA256
9ded9e51570b7deb246fb5940cd7186463236757b637a042f803cfb8237320c9

SHA512
f1038caf051d32c974325ccd2b57ee6674a925d69a107be0afb4cba0e4453b5907fede020f38eac33de2669fed5f0e392f8aad54888685c8d84c5a3af8b12634

Download Submit
C:\Users\Admin\Music\DebugSelect.doc.ANNABELLE

Filesize
431KB

MD5
037f6fa3fb4090d1528ff8e7d7d2dbc9

SHA1
577841c296290510cea1836b397525311906f2cd

SHA256
37e223b186873065e09423b551a1cb9ead8f2d086cf1fae0149a3f54027a91a8

SHA512
8e6a00598582ae08790e0455ba3dd9171fce47576904354ddf669fb740d003b9714ba27929f4b6af65b8f5d256825d549497e1034216b67d0a48bb5b629b2394

Download Submit
C:\Users\Admin\Music\DismountWatch.wmx.ANNABELLE

Filesize
205KB

MD5
91e367b198cd5f8427a93abb0a4140d5

SHA1
0e1045db9f5382d59d0f43bef1dea33d185a9559

SHA256
5ba87153dabaf0d4d5e79ca9dc1c9c12f7173382bb78630add1d25ae4dc9fb5a

SHA512
2e0be7e7fe3db055bf87cd023acb1015d3a48437fa4c25be3780ad87d455fbc9315fec1d5eea2995a947809af0c84304c7dd851ac19c163064c270ca4efdbcd3

Download Submit
C:\Users\Admin\Music\EnterGet.vb.ANNABELLE

Filesize
421KB

MD5
053808485d5fe18f1d6a6745ba8e2186

SHA1
37d479bc73619460910584ae7e205d79f91ffb38

SHA256
d85ada84146a6c3f2a46aea51c0124e89f17d4a2f19fdcdf3937a3ff235b90da

SHA512
1a2e0b75604282d7c0374a280cd6de4200fb64d8fbcefd675c5cfb481d16f0e07af83758177222d5bce1582f1596990969f297da5be8a4b1b00524b3b4cb6108

Download Submit
C:\Users\Admin\Music\FindRestart.DVR.ANNABELLE

Filesize
318KB

MD5
0a19bf3307f21bfbe2f58b8a27a67777

SHA1
0f1155e1772fc06205d27d16ee0aab75babe0f4c

SHA256
5ecb6f2bff9d0c3168417793f342d6bf1b44eff2dcec460d024d6ee4cb59823c

SHA512
7e61cb05808bff225d85ea90b63dbe47181fb36d51c30724f02e0d7dac899e25181c6ec4d8f341842c9d8703a1e6c3fa37b8067153113d984d7b268d20985a44

Download Submit
\Users\Admin\Downloads\Annabelle.exe

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
memory/1928-773-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/1928-670-0x000000001C260000-0x000000001D7EE000-memory.dmp

Filesize
21.6MB

Download
memory/1928-556-0x000007FEF39F3000-0x000007FEF39F4000-memory.dmp

Filesize
4KB

Download
memory/1928-564-0x000000013FD20000-0x0000000140D14000-memory.dmp

Filesize
16.0MB

Download
memory/1928-672-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/1928-671-0x000007FEF39F3000-0x000007FEF39F4000-memory.dmp

Filesize
4KB

Download
memory/1928-927-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-802-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-727-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-674-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-904-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-926-0x000007FEF39F0000-0x000007FEF43DC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads