c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
199s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SATURN_RANSOM.exe
Size

338KB
MD5

bbd4c2d2c72648c8f871b36261be23fd
SHA1

77c525e6b8a5760823ad6036e60b3fa244db8e42
SHA256

9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
SHA512

38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a
SSDEEP

6144:zUrigyvF8Q9fLglQ8t0qabFDfOdQ/LDA8H+wwaMZUUAOq+mwNf8fsS+:zUrigY8QBLg9t0qabFDGdQ/TlYiUQ+Vz

Score

10^/10

defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SATURN_RANSOM.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	SATURN_RANSOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	SATURN_RANSOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	SATURN_RANSOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	SATURN_RANSOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	SATURN_RANSOM.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SATURN_RANSOM.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions SATURN_RANSOM.exe
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SATURN_RANSOM.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SATURN_RANSOM.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe
Drops startup file 1 IoCs

Processes:

SATURN_RANSOM.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk SATURN_RANSOM.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	SATURN_RANSOM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SATURN_RANSOM.exe

pid	process
1652	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk	SATURN_RANSOM.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

SATURN_RANSOM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\#DECRYPT_MY_FILES.BMP"	SATURN_RANSOM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	SATURN_RANSOM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEDllHost.exevssadmin.exeWMIC.exeWScript.execmd.exeSATURN_RANSOM.execmd.exeNOTEPAD.EXEIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATURN_RANSOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1652 cmd.exe
2184 PING.EXE
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2552 vssadmin.exe

pid	process
1652	cmd.exe
2184	PING.EXE

pid	process
2552	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0B42AD61-A883-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408493"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8021bcdf8f3cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000ff7b1d3b7b2bb238b9c3229728280bee61c642d74f68b369bfa5ee2e807e3290000000000e80000000020000200000009fc734a151474da97d1e9fab30757035c2f896286be7d51c32c528c360b2a14f90000000ae2b5b13d39cd59c2cf917e9b61d34e828e1380b5e18334bfcb7a8fc6e41c2d67a73194aced8ef4e9d0ec36f1536e1b697eac5a4ee63c1be344b1e8d05d4c6fb8239c7b87a5222b85a59b46305266fec5d04c24dd51724802e0f22e2f8d4b12f06aa74154615bde2fe74ed5476479ba6cb92d4f29d8f563c922abe7a32be7dd6a4a85b1c0421a15dbfddd9e9c909e3ce40000000ecb3f51b7dad071880afc9cd7daa0a2064d24b65715a1cd04a0ee785f7397ca97d62c822b39c85b76389e9640b5ac942967dfcb5dca17a3756ae7cc0a7f08cbe	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b82dd20a25618129c9462de334f6e5d21dc6cd3b6e90a50db57f32fef736613c000000000e8000000002000020000000d73bbc37b9224ec3b05c816dbc505577b2d735d568167104b5acebc728f209862000000036893ad5c63a7a227e518fcf0f95bb6c1f4a8197d99ae99babdf26df080fe95540000000255f7357dea766d8ede0792c6c228b251ce99814c20a1ca547d67d4b8e7ee1b1d9249ae5819c66ae3ba9a592fbaf7423974abd96db47bd364237f68ec6b543f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2184 PING.EXE

pid	process
2184	PING.EXE

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	632	vssvc.exe
Token: SeRestorePrivilege	632	vssvc.exe
Token: SeAuditPrivilege	632	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2280 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2280 iexplore.exe
2280 iexplore.exe
276 IEXPLORE.EXE
276 IEXPLORE.EXE
276 IEXPLORE.EXE
276 IEXPLORE.EXE

pid	process
2280	iexplore.exe

pid	process
2280	iexplore.exe
2280	iexplore.exe
276	IEXPLORE.EXE
276	IEXPLORE.EXE
276	IEXPLORE.EXE
276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

SATURN_RANSOM.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 2332 wrote to memory of 2116	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 2116	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 2116	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 2116	2332	SATURN_RANSOM.exe	cmd.exe
PID 2116 wrote to memory of 2552	2116	cmd.exe	vssadmin.exe
PID 2116 wrote to memory of 2552	2116	cmd.exe	vssadmin.exe
PID 2116 wrote to memory of 2552	2116	cmd.exe	vssadmin.exe
PID 2116 wrote to memory of 2552	2116	cmd.exe	vssadmin.exe
PID 2116 wrote to memory of 2676	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 2676	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 2676	2116	cmd.exe	WMIC.exe
PID 2116 wrote to memory of 2676	2116	cmd.exe	WMIC.exe
PID 2332 wrote to memory of 868	2332	SATURN_RANSOM.exe	NOTEPAD.EXE
PID 2332 wrote to memory of 868	2332	SATURN_RANSOM.exe	NOTEPAD.EXE
PID 2332 wrote to memory of 868	2332	SATURN_RANSOM.exe	NOTEPAD.EXE
PID 2332 wrote to memory of 868	2332	SATURN_RANSOM.exe	NOTEPAD.EXE
PID 2332 wrote to memory of 1460	2332	SATURN_RANSOM.exe	WScript.exe
PID 2332 wrote to memory of 1460	2332	SATURN_RANSOM.exe	WScript.exe
PID 2332 wrote to memory of 1460	2332	SATURN_RANSOM.exe	WScript.exe
PID 2332 wrote to memory of 1460	2332	SATURN_RANSOM.exe	WScript.exe
PID 2332 wrote to memory of 2280	2332	SATURN_RANSOM.exe	iexplore.exe
PID 2332 wrote to memory of 2280	2332	SATURN_RANSOM.exe	iexplore.exe
PID 2332 wrote to memory of 2280	2332	SATURN_RANSOM.exe	iexplore.exe
PID 2332 wrote to memory of 2280	2332	SATURN_RANSOM.exe	iexplore.exe
PID 2332 wrote to memory of 1652	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 1652	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 1652	2332	SATURN_RANSOM.exe	cmd.exe
PID 2332 wrote to memory of 1652	2332	SATURN_RANSOM.exe	cmd.exe
PID 1652 wrote to memory of 2184	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2184	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2184	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2184	1652	cmd.exe	PING.EXE
PID 2280 wrote to memory of 276	2280	iexplore.exe	IEXPLORE.EXE
PID 2280 wrote to memory of 276	2280	iexplore.exe	IEXPLORE.EXE
PID 2280 wrote to memory of 276	2280	iexplore.exe	IEXPLORE.EXE
PID 2280 wrote to memory of 276	2280	iexplore.exe	IEXPLORE.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.exe
"C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2552
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SATURN_RANSOM.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.txt

Filesize
407B

MD5
f3d19c544c10a8337a7d9f7aef079a43

SHA1
252612bbdbdbe790853fe560ce5ce8e1df5fcdc5

SHA256
b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b

SHA512
c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html

Filesize
983B

MD5
81a5c46ac3078e69ee370e929c738602

SHA1
404c83c60bf8c5c711be2e99286549c55fed3368

SHA256
d6e6ad1b9a348ccab1255ccd894394aec921aa4ecbef55dec17cacdd8c5cd212

SHA512
5850a41591a39a84360db47992e360a4f618a28e949e49576cbe10bc624110665d3b1c14f0cfeb9197f567d10cbbe0cedaa9a9a9c281c426b9733f1e9a0614d0

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.F2Ai

Filesize
582KB

MD5
3e70bdbbd585a408fb53b6d2533234a1

SHA1
6e4b8c8414ab684c72ecbdc4df08fbf1262ced27

SHA256
3b7572370c6317238ed64b0b0a1b47a9e214ffe39cbc14dbdcca3717956f277f

SHA512
4c3003f4104fb5b106ef9d2b5e51c7b3ec5f3d5f3a22827e7ef5f158554d0ed6794206b5713a3d12032df54c5a20b4c854b5f88a38f6a92120643319075f90a4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.F2Ai

Filesize
43KB

MD5
18aad98ddffa7edd78794fc2b0bfbad9

SHA1
2bc1d5d9983d2581e41d3a8ce0755cca062f8ce6

SHA256
2c929d4af4e4a239f59ce84b956d808fb11f08c56557c617f10c7e6acd92eda7

SHA512
d79ce12bdd0de013e7699862c374935304a207d807b4ae49967628c618362be9e4f83d60a7ca531948c287b9bfc06f06e96d7c1770c1b703dc9800d786dc4365

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.F2Ai

Filesize
38KB

MD5
8030d93f5cef3bbbc3015c9636ac8476

SHA1
756b12233e4a2a79612b7febca4bc809b924f3f8

SHA256
937ca0b7c3be5381623df598eca683bb1241b51f79a840ad0452cbba427fba54

SHA512
417d8a9c280a97fc86068748b2c71c9e176d8a46ee7a64c99f3bef3793827756d2046a805598355cdb0bb0c517ad4ed6d9ea882bdc5b283b8a9b94552b8395ff

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.F2Ai

Filesize
126KB

MD5
f766648bbea1c030657113d04ba31f99

SHA1
40b9b4a62e66a85f7ecb4198c42e85096bc85a2f

SHA256
11f92c31181e82f08853f3f5c5c0586d749b29dd72f39ebb80fcca71d865e828

SHA512
0dc3bbc2de0709f56e938c6ff2f9898b16a9d635f30f4e0537b6756005f324d6428c19bc592b194c2632cf1593c8f09b3ed949f1b4df281c80bf3df24dd48f4a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.F2Ai

Filesize
28KB

MD5
6a3085d7c972b039e7422d32747f1d63

SHA1
b66592c20f6a8c8f16af78666b33a6dedd650b6a

SHA256
c6850ebd2e2f894ac1f83427999434abcef8eee85e90b4a214f6d4804a2de86c

SHA512
a1d1ba01a50c72405cfd95bbfe2c234dbcd547a028476100878e6fdb4c9e80ea8be7ba67ba2bec7a61d63e438fa24029bf8338568645661fbf7951786bca0e03

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.F2Ai

Filesize
1KB

MD5
6db28021ecf781a9ddd8691b710bb1d7

SHA1
87814bc096cf40ffe851ee8f388a9dd303795db3

SHA256
40069374da7d40153bd828051470b11de8daf2275294b928d091d6cb4434ca84

SHA512
2d712751fa0a5bb3e273dfe3d7a7616d015c83174beca3712dfb8b99149f72d086ed61138ab6a4850e0ce55097927715c9b10c93e3d8d6184e64c8a04b5f4f14

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico.F2Ai

Filesize
28KB

MD5
118455974270ed29e67cbec173be1b7c

SHA1
45a32168f3c1bbe46c06a9912db7eebc32703324

SHA256
3db99751de20af284348745336459793537fdd3de6d315b2f3b7f1e60b8f0b6b

SHA512
4a9c0493386192f7177ccdc48805fe70bb70831763e70310e97f070992d5fe464ee08e15ba47f4fd5184e35eb1d8a8f518ad262f03fbd91cba4158c0fa7d8b83

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico.F2Ai

Filesize
81KB

MD5
e2bdfd26faf94e88a0dc01deb7d5337a

SHA1
220845202c39e01f5b46ec9b85a78799c8f9c0ae

SHA256
fe71df9aabed139811606d8a649df6a189ad802737cbc38e6abd810b083d620d

SHA512
93024ed1f021462f6cbe158e313bf90313cb0a8678628895813b53179ae0e3af133fc7a9428366736d272a181ac6a010852981b69440d9a3297073dea2de3c2a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico.F2Ai

Filesize
50KB

MD5
2cf18ee83c43be04867d485d17097bda

SHA1
a037ae13523fb6c108ad7971e5abbe0f26d17a0b

SHA256
3c532f0a62ca018564ebf29f8cd22922128cd1ecd1739efdc9090db7ea92c632

SHA512
b5c0d2950e97f9d8f81b1a3f1f3f04179aa579e1dd0c9df651cf8052674e16d7593ddd6b1519359f644227b7cb499f7d1155585299c2110a69a7f91abb070e5b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico.F2Ai

Filesize
66KB

MD5
81c6e637674bbb946c45fba452be6763

SHA1
f3a68356047335071959000858984a4ef5550a0e

SHA256
6ed85d796b293f7c5bf0057a13c07bdb3f029cb3b3125e498ce4de11076a80da

SHA512
7c3237f3b73840b010453b7ae6cb08e870408b776c17c5421160d2d4e25d153cb2407f14be539ad1b66e894880feb9ae33bcf38ca38496fa8258c73856ae0f6d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico.F2Ai

Filesize
48KB

MD5
a9357f2f5b87666e84a852e7c3812461

SHA1
f772a04578357cff453d606447e770481ca5aaa2

SHA256
fe792bc68e417967b0c0dcc37d051db44481f76af394b2f3405a82a1955cf38d

SHA512
4ded82c0f1eada47564bd80d20a35f4bd0eb63c1cb9b521d63650448830b1117379c6a95517746578cc23b115d3e7c18ed9b5a9cc9d93c91b4f53a824ba86786

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml.F2Ai

Filesize
13KB

MD5
4ef9af710c48081bfdcb7b2f09023c39

SHA1
e6b7c85ea09a170fc1dbafd00f8d6a968ab23cbb

SHA256
270ab898a21e274fb29167572e46c412c0708530467864217aee8ca909663a26

SHA512
4a9b2122230e67ee2f242e9a6e0e15f5de763d4863c30d906dba69c1444c538234b3b67dce03ab2fd76c795bbf5c89843fc0cd81184fa5f09466f050e275e02e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico.F2Ai

Filesize
110KB

MD5
4fb9702dd37e207bb86b20089eff095a

SHA1
d66e8835e8eb6161d5169ea2aeb7373b46888fbe

SHA256
dd7ae30242a1f1c785d8408253435e546a21475b6c1bfe4d0b63a2692b50ee97

SHA512
17122db0f68a8207a9f270849dfa3a5db9b52ae3db65dc5934edbb74babdae76c85842cdea63151b25b46a769f2fe60c041c1b4f0f8f8ffe9fce938e9fb50666

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml.F2Ai

Filesize
1KB

MD5
1e57ed16f9d5277df3ddb278204a182e

SHA1
2ec34ce3ea1afec29846835c110d48bd99272b7e

SHA256
71db9568e3e98a135c4d3d6869bb542f338eb4ab43f3b2469e7387a62978ab53

SHA512
8503646f04b373bfa7223cfacc8bf19e789eefca6bd0c6c24cd22d4e81c44e921fb6695a11aaa3844968f6fa92d38a2aec5183dd91acf8b9848ad06a1bbe608b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.F2Ai

Filesize
52KB

MD5
6478fcb67357309727ff255682f2993f

SHA1
acf9657315e216343fc98b02fc6d42e15f5147d4

SHA256
6263536a9928ef8879557ceeb60f417af7cf201739a7d5c1419c76cb1ce7a662

SHA512
81bf8ebaf08b68a00932ee69deda0e5e71cad77d61bae1708920204a7ca39c0a8f37d7c0cc1317a455380e46b59c8f9a8dddb5b615926dbb70f0e50d99f35e60

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico.F2Ai

Filesize
57KB

MD5
9f1bb0d5adf77dd92620530f343ae46c

SHA1
5b936c955c649d5fda2c2b04b020333356904f32

SHA256
6f60684d993c11e1fec815e9b523ac1d6218a3427ff5fd11292e2f37005a83c1

SHA512
7fcb356e43b2fa51a070c9fc96e0f20b6d59588f42e828ee05d271f288eb439b9f1bf2c911f2d52ae9d9442ae64b83ef98db0f7938674a1a6c80511ee4c53a23

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico.F2Ai

Filesize
59KB

MD5
b3f6be022c7a33546abc93b04a065e88

SHA1
db5fd8aaeb060e4401cc5f56568064786363883f

SHA256
24a54d896506b1ba34ddc67b92ba983cedc24a68cfb4e4ee2eb75d3094ec8358

SHA512
58e3ca8e03c867863ae814eea02cee1924016b1cee0df83212fd9a82265048780db5917c2e8cef5a6f086cd298244d60f1db9026b3179aae8d6f077f56259dad

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico.F2Ai

Filesize
56KB

MD5
7268325bb9b02dd0e49409dc562f28bc

SHA1
c1f3b08b4e2399d50c3ebc2ea1b3122f9fd11423

SHA256
e1f4210a317beb430d00817a1a752a9f36cd3b9d42fe57d83eceea2532b33e97

SHA512
2160435a903d08106041d2f7d3dd05cab5e5ad8e9ae3e6b97fe09a3d35e7860a6081ea3917980c3fee05c0960d35767ed03a0a48c13cf6936f09d512965cecb6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico.F2Ai

Filesize
59KB

MD5
215cff9f54f5e05fad61ec887d15b331

SHA1
22aeeb40f69b5fe44aa0a50a302a9c410d3e34a1

SHA256
7aaa48bb99a579ba19780f4ae14dff532b17d092e9b70ad5159be60989b4bbaa

SHA512
d9ce19827576496c273debaaa94b285ca275f13223cbd8830627a7a777e560b1f774a4efc08b0f3dc0590a8ee6c4959a3b49a068cbf0bf7cab7234565290a788

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico.F2Ai

Filesize
65KB

MD5
55a677c6cba38a16374cc1c20e13c238

SHA1
d70ff2906d94f0f755e17707b2ba1d372ee88a4b

SHA256
96879e4ef16534f8a39cc7a32564073f6fe898affdfc788a830ffac16d8226ac

SHA512
e193d77881469d7283880ea2fce462ab4010b3158b8581a03aa4ef54661f11d69575a7aa715f241a64253e9635ed7678005a7847e45ba3fd9697ecb91cebedc6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico.F2Ai

Filesize
62KB

MD5
0f4153ba6e607b2ba6f74f6d26a8634c

SHA1
6eae1e621895019b30e04f8fe38b09f831eaa4c1

SHA256
b90a3428c9eb5a672956320dd9b282826b436dea8059db43cd9ddb36c393d81f

SHA512
656d59753b05dd08ed0151b137982478774d26ff5648fc0680c853c7046f43d53b035eacc2c44d2f1ecf2bc5aff8bc5785c9200907f0a19749fe71e2410cb822

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml.F2Ai

Filesize
11KB

MD5
3254d3e783a34f99046d19d33fffcc42

SHA1
2190c7c3b64ed9d1e676614d85296f68e215db97

SHA256
4357f2db28037eccadf5c077e0adc4847f8cc35f34c14ba746d30650b76226be

SHA512
1eb6fb5b5a5dd9fb9e77a9d0e68c22afa46253fe96573cb1c7a6a305ac0472111252313d8f295fabe133e86e82b65fa3dc7ad550b7b3b0d930859c8057c08ea4

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat.F2Ai

Filesize
2.3MB

MD5
c385a96ff47c70c84ef41b7d7464fe5c

SHA1
eaf3766525c7eb049433eb72f54631453ccb1618

SHA256
9573d7853dbd1c15728509813f5d5e578037b46398f610c25e31930061a8c63f

SHA512
2486ba76f3817b6cd59e42f76701e2b8b30d3467e1c4ca4790c969b808556cfcf8517fb1f475f1d2ac432e181806d933dc1e9456611cc13a6347af79364c2120

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Admin.dat.F2Ai

Filesize
128B

MD5
cf95f8fc17b7ef902dd71aafbf9c8995

SHA1
5e13bbf824c6e2283c2d335e0c2012117c9c852d

SHA256
5ba74c436f9a828e5216e124220ff44789e1e24889d48b428692c100fa4d29a5

SHA512
8ca2c002fb65f451434077148d061ed78ff62f41f66b0f53944942fe6d284ee6ca9402edc09f312bff3c670fb8fb27d38de2bde661bd2ca5cadeee412c167847

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.F2Ai

Filesize
48KB

MD5
fb008e02767f719b04140b443293493a

SHA1
7522544af77fdc7373e43928aa1116602184fea4

SHA256
e991c3a785509f09bcb4c3cda24fddc4f6df28b5137720f94eb409d26a6736dd

SHA512
92a879403c2b51560aa55ced85d35dba2f356bc5a2ea051764ccd413861f2d48ce77d6c18603e0fbaaadc777bbf79b62f986eeecd9ad758d63ac477bd3601871

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.F2Ai

Filesize
48KB

MD5
6381acbe361d1d06968713eac2dd972c

SHA1
cc764e33d92ea6db6e3c9172586021640edd6572

SHA256
17ce6007a2835c8d623991533270ea8185469b7be2fdc2c2a35a649dfee34de0

SHA512
fe53beb1997483847bdea46ce1cd8dd4c994c5703bfc6bc37d6fcd4c5adb76c021ef177de35c53179f0fd14f4e6ca5ed26bfa47708d3c1f0d87351974e782097

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.F2Ai

Filesize
48KB

MD5
4db7730fdbadd0c745c7aaf7d2efcb82

SHA1
ad86f0412fcb55e150e905c0ceec1c89d8f785a1

SHA256
956ba463b04ece6b21987de0c7fd4019f6a4c53a617235de6b3fed1411b24e4b

SHA512
d438d1184cdfc758c289f4c998b1215b0d437801bb32aafc9266a1e1193861fe1249c48b74c17be3139d69f314466a46429d1d43accde618716d27f32e446603

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.F2Ai

Filesize
47KB

MD5
1c4111e4a7bcb835030b64066630da8b

SHA1
4daeb949192e4c74c1fd4c1b5e9c06b20c9dcc15

SHA256
bcdaf50780e25c7812b9c990f8af18f42586cbfb8a1229dddc32c42d19cdd284

SHA512
f61199ba04adf50c9199f607a455d1feb8b1d1055e7e42b0c41e58d6537e2fbe31cc24f9902476b718e41efce33d26c8fe26812bc4975755365ad1d5aba684a8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.F2Ai

Filesize
48KB

MD5
912bfc73eb5b4ba33144157adeaef138

SHA1
ba0ac8e73f847b9dee554e79f74a80cbf81c2216

SHA256
970bb582eb207d9f331426d033e6f8a5675f24950caa1c4791a926aae31ffcc9

SHA512
3e4dbeec0e9e617b8e779a17f4c2c90cc1796150701ea6604b779a9b833305801e6e66c29b1b418462bd7f86e80331f99d1bae3d3a9ad7f152ea3fe5231675a6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.F2Ai

Filesize
48KB

MD5
6633ed5a83609e48fa36da827ab8e408

SHA1
0b4b0a36746ddcc5ff1c7d75fc57cb61adef1a74

SHA256
99055ef1d3b7516b1f3047e549f2114c1adb2cfe77c98a644cbd71ed900b3211

SHA512
30901d1f61d2b22122a5335960d5035225507e4fb532e7c42fcf39a73710b2aa391bdd3f60811701be093a6f6839f5cca8ce8bd809b14d2074a7b19b97a0755e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.F2Ai

Filesize
48KB

MD5
bda3d92e01abf9442ac77f5addc89e7b

SHA1
079576616c84cf839456d4e4f6cc93c71107185f

SHA256
99b7cf6271687f116b3934cabf2adc6a09486fd2fb07ba811675c650943199fa

SHA512
b871d9a442ae6fe2d5052206593b0c9c9fc77d3cf8f67c61dedf39918af7fbaa918780439672e2e4a112919855ccaf11f6461621b33212af2a154a493628f231

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.F2Ai

Filesize
48KB

MD5
dbc870354e26cb57eed44a8c8ff7baf4

SHA1
d41a00298fef60c47196ef0e3ff593e6470672fe

SHA256
46ff8b5bca3dc59f9181f975cdf46f4c6f90d4c462a96093f6614ea7b890e2b8

SHA512
d35e97f0e4ed887614f7ff7220f7f1a4e7da76583b9c36dad28ebd7989d1e908c128f009f13bb15493211b0a553111009a6ca45f81b583c0c49e6388f1d9f941

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.F2Ai

Filesize
48KB

MD5
8e7a67ccbc16a9d2bf83a391e8b50fe5

SHA1
a4a6350fa80e5ec725ca218b6791d781a6693b6c

SHA256
3a937733663a3a75dd1d8abb323be5af4e77738ce5272139caac472e5b250513

SHA512
a34eaa5d9eeba6cc964076b462c4087bf3415e1ad4307d61d738ab60f386c5f7d8d87df81efeb185dd64c6f84b260ea1c87a4bfd73ae46d3ff5b315fa871f083

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.F2Ai

Filesize
48KB

MD5
66754fed13f7323046d4f391e54d96fa

SHA1
1f8df0a854ec9b4bc08c2b255631c024472e18fd

SHA256
607fcb785473c47bd495671285e45e2475f40a22bb237e11ee81f49d7adada8c

SHA512
f49455e33a18238330a1d2e6c40a02ba6cb721fc8ed06099abdc4463e6d3a1f311e16bf5ddd03edf1875a435f02ad8e636e7920e958575b400de8da78ba49a9d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.F2Ai

Filesize
48KB

MD5
d9b5367dff9b5d914405364fa972f21e

SHA1
1f86110634131f3afd40731d55215d84767df116

SHA256
2d3847f3e256951337414f551e2d83c76d96e2f72198f87c046b13ac0b8c1cbb

SHA512
5c0244461b233d5230e0cc9847f08904088ce12e6c0a5df80264a243abc12c322ef7abcb5cdcad598f77c7c38bf9d78a863dcaa8e6674e49d0723dc4e7de5549

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.F2Ai

Filesize
48KB

MD5
ef93ea3c8a91b5a5fd9121276fae41ee

SHA1
5c7bb7e3aa621296de251341ae50c527801108d4

SHA256
4aca82fbc97572a9e36aa57616616cfa32cd55490bf32cde780b5a6d2869154f

SHA512
a827114a8fab42f33703927ff8d41db6e8a22254d307fd4fa40e8d797c7ef9dddf873824ec845b977c669311f90b81c4b817655c0dd3fcf3643d09871c962852

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.F2Ai

Filesize
48KB

MD5
aa9cee28098fb851573595bbcbc7720c

SHA1
aeb7ae6c30e86c853ec2c4b8099391cc3ebcfa74

SHA256
0c81bc709a2b97d4a4a677228abfe4578514fdaf5678dda6e6bc90975da3b90a

SHA512
e81052c1506b3207a0d3b665d409a3dfb0aea69fe4971b82c9dfc8aa96d5c14ec6f1e550fc64863bd6dd9ba374f51283eb970e6b7f57397f45a213d9c9a38d50

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.F2Ai

Filesize
48KB

MD5
65c02805ed9d580b75710dd3350cf39d

SHA1
5f0333d68ce1b8c4d2b70424eba1396c5c305e5c

SHA256
f346defb7609f1ccd009b2ae3a07bd6a4b5ee33d70a611dc1a5436c1160fe173

SHA512
1b51f81bce1df1dc4f3c5172b161053049794b13966a6abbb3ba70e1a796049b8bdad919af9810868c27715e120b27340caed3b5a53359a5cc104b47c690546b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.F2Ai

Filesize
48KB

MD5
131a188b6efa66f918c372c2f30d2514

SHA1
04d7ab3e05d14a88d77c86a510c2505f1622e778

SHA256
b267517e23e8328ab3a3d7cb3b000993b11b92ab960c0d2fb52106106be6b14c

SHA512
334b41ba61cc155e1de0adc979fa84dbb6c7b319364948642d068dc1c393fe2c2d7ab5e77c4e42345c89c65e725936835c10fd0f27d13dd1e4c3fb68cde9024a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.F2Ai

Filesize
48KB

MD5
e0d47ac2a84eb85a6688f618c8712b49

SHA1
0efb76db0c6be496d4f80d58938cd7644ffbd6cf

SHA256
681c9ccf4330f2888e5b497eeb7d80dbc36e8d543be2fe387b2ffc642fbe22e0

SHA512
ff06eee05dc74c987968052263a2b835f9f718be3473599c4c43c0b98e387ea3b1734c506740d8c40040b5954ca7ee6f042647ff97848d8b0af52ed8b44c8766

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.F2Ai

Filesize
48KB

MD5
4e79eda0f18dd877a0b20314a251625a

SHA1
5c19d6e37eb8e1eb408cb2822370c4845d39a65d

SHA256
deeff553cbd921d18f1a3e2a3246f7179aa1bce7fb13fb2f57ed21c5fd79299e

SHA512
65c770d8dd9ad708ee3fc4e42976ece633ff01913118403729b72b04926e864b7965348dd407061ab4f87653d9b946e737dee562edd128c34c8d9dc2e3826a8f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.F2Ai

Filesize
48KB

MD5
5ed2e868105268da6d0594359991b518

SHA1
dbf1db52d29431fbaee5080f8a5df8aded5568f1

SHA256
f9b62e09dc546085bb4977fa862af21687661a9ad8aa5659d61a6ea80e7e598d

SHA512
4cba6f9160b744863df7c61d4ec89bb0173e410de8f6b8e105b76705ca77a521377c4db1891fb1cc72fefc981c72e664a4e2a660f5b2f58bd57588ed04e9238b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.F2Ai

Filesize
48KB

MD5
1e4eb3fe1ecb65ffb225e5f71be0960c

SHA1
0dc7fd2f075a6d14e1e75df982bad3df3ef3eb7b

SHA256
699bcf7dc7d8cae7dccc629eda57051bd74f5a9da8c867ae9b896651fe580805

SHA512
b7091f004ee03a438728b51fbed62105c0756c43cefc30933c401a0d506a048faddad37c762692936cbae6947033c4ec8a19eed804095b455a322fa82c380854

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.F2Ai

Filesize
48KB

MD5
216e42a835900dc68d32ca3b9c86977d

SHA1
24596a70d083295f13dc747763492904894dae84

SHA256
0cf0c577a6dd0857fb226bfa678a18753c95c533c2a736d5b914fac8cbac1145

SHA512
39d812b9e304d481febeb94fe083308db29a1cfd4e96e0bba0755fe822f600d54fcbd7452910e285f7b2b4e0d74e6abf9cd0e3e20d2041384b2841e71d980b43

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.F2Ai

Filesize
48KB

MD5
a9230615c3959949d086c18555495f04

SHA1
d123e4dcc2656dca70fc0f10493bbd4f9ddf7410

SHA256
868acc9fd4a70847c80aff2fecab122fdaabdc7502650279c67f3587a7641347

SHA512
0f4dfac6688e76223aeaf6d9976d3a65ac88db90025d6b2f9babe1bfd7d08f6b9b8aef096da45c4480e382d6264eb49b5eab7817096d3aec25f041a64b1af6eb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.F2Ai

Filesize
48KB

MD5
3b5ba96925ce38d2cea728be3d45842e

SHA1
a38961241e1d30e5461f85ac9792d53c4bd8aa34

SHA256
f198cf006544aebb35da5aefa813b1d5e2520ec8e2b08403667d87fc96a6a24e

SHA512
fdc78e83fbb79e40d04090035bfc493989cf189e327cd68b97d3e5f0d52a157b64f79cd613845037559035c4eedb32ff6dab6b63e67dc846c309dad1f3876823

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.F2Ai

Filesize
48KB

MD5
bcd3c9d1d3fc9556ac041644ac818c31

SHA1
f491fb0fbbd0e0b68e080d9be3e0b15ca530ec15

SHA256
3f9c16b73f0397ed195208dff3629a65921f411fb536b5778f10ebe65af491cd

SHA512
65e6721dc33aa708280863f228a84313c50fb2c14a917e98dd2a1f17405ceafafce4810f154789b15268543d7ee94efb617b6ff0d18af94e0b4b00ed4d1eda69

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.F2Ai

Filesize
48KB

MD5
c8325e77862fca29138f4eae66b98526

SHA1
df78f19b0ee484dd07ccf2b6fd428ee531ab46c0

SHA256
d48413c675735a0bfba3b9aaec2ff7b32a732662803315acd2adb7410c0dd11a

SHA512
9fb75a46385880a8ec70c45c41d8baa509543bc91112f79e56c58eec783ccbd4c257fedf285feca539d9c0578ff7b3e1fe8af37a0a6d00328ad89ce62de98e72

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.F2Ai

Filesize
48KB

MD5
e03ee49f475353b18451b19f9e8cf925

SHA1
5460f313d998efef5792f25558bbc880c9392308

SHA256
639e8b2547584bffe346ca28b59f9c51e23b47ae8194d473a28ac483b7bd6f04

SHA512
51832e1750143280b85784880fc0206e78ee38985ff08bea2333284a96d610a733e6b72a5a36897e70fb615b23e3a7770519ec3a1c4f38b4d0477d400f021f0d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.F2Ai

Filesize
48KB

MD5
05926ae8ec9f6892cc6c237abf81eada

SHA1
c5e913b359aba783784cf97368ae910f9f37597d

SHA256
48ae3e8480d9ec2b02cda92ceb7e85e0633736646939af0191e224128e321f62

SHA512
8acd8aea324b49191f88e9725185da87d3ebc9900d296a19ccdeccf35abe59c8f2cc7b279173133327811d13923e6a8c3ad88542bfcb137ab2f555356e369d00

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.F2Ai

Filesize
48KB

MD5
7544a27e2db713f5ab89621460de1169

SHA1
6f8df4b6e3c2e21073b5018e8ed190598c522465

SHA256
24ea97ec47c3515599779d0b57f1c1d00cdcee2871cec04a7d0880d02b283d47

SHA512
bcde8c1b155c7a4de2c48a26a1c9a1f9b26dc36caf8fa7883f160b5d91f28b01909581a73874ef4bc274cdb8a7c262d17fcace3bf146e66d6145b51a5f72cf0a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.F2Ai

Filesize
48KB

MD5
f049c55bf2059451aa306232684edc39

SHA1
43bf231e0ce12c485d9f4dc94ac8ef252ad3f0de

SHA256
5ee4c7262644f5799d2287cb4ff6167e8f3dcd3abba019f82f04169b2b81058b

SHA512
694eaae935ec1f3132406e3f9f6d9dfc5f1c5ff6986f03c99e63765bf772a73d384d8eebc8d562d69fc01ed2fd14827a45ed749443f91294c6e31bd6526c415c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.F2Ai

Filesize
48KB

MD5
f3fd94ca4f2d78b2a33fa33c1cd8f6de

SHA1
cf2cc45782f2e2b09eaff8eeae686375d2cc8c57

SHA256
0e0d3a581fe5d5ce291fc2aeb238b1794d5e70fb9b5a833de20c119abb5a565a

SHA512
5810271cbf100c98e34bc7fbd3dbedae1755068e7dfc74179c6315cda9e5e42b760c02523b96d6e87ae9d9179bc4a2b1fba4b986c7851b3081a2837eb8221693

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.F2Ai

Filesize
48KB

MD5
a4c213fd684313c6188e61ffdeacb6b5

SHA1
4215961c69eb4000202b8e3494e726604c48005b

SHA256
6824a061a775efc62f35d52650f5fc469714c97228c5ab4e71bf6e278a35f60f

SHA512
df5aedaadd6927745ebe435ae6ada25967d382b2cd4f10617e7a3aa30c216d12d1235567ee311cf3a87f9cb93ad48b674af6792b16c07dd82c4525cfdfff15d6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.F2Ai

Filesize
48KB

MD5
7cc8e42089864d312a7d297e55e67881

SHA1
8ebe6e45aa22e88af84a43bebc38ea9efffa372a

SHA256
789b6f4a648230105c7e87bf56475a0667262f4a3b760f72f012d3da6f55e703

SHA512
dcffe879607a7ea3b1862d2cf85a1d42c95ceda2431cf66d8e5b5993ff9cdf2cad6c026d705b16fe2c1f4f232300ac97f17e5ebdc23ec8c381225429d91e9331

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.F2Ai

Filesize
48KB

MD5
e221b45c0443ca830a26a21758963ddd

SHA1
526365959cceb683efd35124606c4ceb8b2dfa51

SHA256
b20a121c4e7bcb45318fb71984ba1b473ee3031f8ab6c05b1c13f7040b59c8fc

SHA512
4653cf225fab02432b04e98ff0aca2a4cdf16464e0c7e396b2b65fe7b32df5fa6c3454d069d171b9d63860269e13d6b6f4136d5714e8c000054ae0e076af7633

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.F2Ai

Filesize
48KB

MD5
367b894708b8e1e78cf1b01025abcc7f

SHA1
c2464ff7219c1f86ffcb6cb3e54d67c14814a8f1

SHA256
a4ceb4548763e3e6f99a7357c5c1ffedb37ce7a300295f37d91618dcc8addce8

SHA512
a401bca581d3eb4a4e8771120055e36add17478dc8f56cd9762c07d1074e5450f2a42d1ade55e4091d55a239b59d9d6508da4935184ac707c14b6dc9e68358ed

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.F2Ai

Filesize
48KB

MD5
aa45555a03c52b73b416e379ad065e94

SHA1
348e02a9d983f860e7cb57957ec840ee9d5f9623

SHA256
d45efe20963a0a6002225440960bd22ef696b32db7a55623bdc2a64e2b7a81e1

SHA512
f7f2743e46a8a20f651bd99f2db61f9be2c46466e250b4e2895e27057e928937047440e4fc3a9e9e808ae088472407c58510b170cb76f293ee38de157299dcdd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.F2Ai

Filesize
48KB

MD5
171d9747f8b1e3db4a0495be41c35937

SHA1
6c9dc9239c21860ab2a7c29d47ebb87235e57e7f

SHA256
3b8c81ec5f488e714f2c15c40a247ca1be69d25653b005c1fd6fb8689ca0cdae

SHA512
2ee2fabf3d34a30f7d2301d6cfeec35aa2caff9f7e389012f05f2c3d3409c102a2ffcd520c0d7d8904a81bb423b85766c128e6d9353107b32846a585725a3dd0

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif.F2Ai

Filesize
99KB

MD5
e0a66de6f68b84f8a29dec993d125d89

SHA1
f494d9df6d405e382b8ee16d2b5ba3b1b678fb67

SHA256
580e6464757371dfb9cc442847a7f233dac5b948d80dc683b57e2969475b04b4

SHA512
f8e5adfd8f82cc28a3dfa594dfc706765108f5fced0e6fbbe50e96b9e195aaefb2d48d464a594167a589d21592e01123af79a169fa4d7d8ca13e8b1ddbd67caa

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.F2Ai

Filesize
87KB

MD5
11a18474335de899edd791f80088f0c8

SHA1
dbf5ba7dad11830459c4791291dc300fbca32619

SHA256
59ac2e32df70d9db169076bc4b063a9dc58e341717d665ab4d7978cf3c5b90d5

SHA512
bca30b303a0076d8806ec1cd99621d1ce4cf92149f27f2c19a4138c74fa649356238a32df5c438b27ae20b48c685bb3d8402ea0a67adc6213f0498f770a3bc68

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\es-ES\WelcomeFax.tif.F2Ai

Filesize
94KB

MD5
234b8bb52cd129760a889646d5a4427b

SHA1
e068bc5a9ad08368ab76a18b417bbb9c04c1fc2a

SHA256
1d5373f01b143b82ca7a187b0d30d3684ea47e5d951901aed254edc1365c0c6d

SHA512
8567134c83464cd19a21107f8bc138d5b576d2b082cf425146a31991e8a29e89208dcfcec786d56ad9ad379fab91e1b80f875133d05ab967be67b45a70314eab

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif.F2Ai

Filesize
100KB

MD5
5ea45760c40cd63366fe16729c8dbb2c

SHA1
2649c5b92782b94f3027de201106fff2e3717eca

SHA256
0a3d8c62b410987f4afe06bfb285cb34394aa5bbc21a0814b4d4769ed6c236fe

SHA512
393c394f71a6e6b1884e5385a07ae8eacddb21d05250c0b5b2abc62145c62393b10857c1850190af7db3fcbc5a984304cf1c2a4e1e0bad39b16ae43b07744e9c

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\it-IT\WelcomeFax.tif.F2Ai

Filesize
92KB

MD5
748f22c91108dc03d9c3697a016961bc

SHA1
032ff909d5a7d875801db4e8a8d8017121a75221

SHA256
e5e63d267890646953409918be233ebaade2037d06ce453d0871cf6c3af5eb08

SHA512
f6b34883723ba65eb0d97b2e9f73c68418eaa93f79e2648aca3af46d2b68a454ef851c227646503aa090f58e8c1061b957b99d20c650bd45b61c6a357e8c1c0a

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif.F2Ai

Filesize
77KB

MD5
5ab742465cdebc0090c3cfbf7510dd30

SHA1
e022f570ef0db3fa32edfd1e662063d6ac6408ca

SHA256
852df6a8a00c0e950008bf3b534b7853fa32e61696ec648413f9aa4eddd955c4

SHA512
0e6e49b8fae4076c59e1ea5882732eada65d40a7466fd6e1bc8136f5a890c687a40077dec1481950ab781b668f3f0be1e5d118b3385cef311f7e6e4883cbb176

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.F2Ai

Filesize
504KB

MD5
cb13841f6162d93c38f557b6dc6123ba

SHA1
5814d5d194d470dcb4541b0a35d0bfdf6d8c88a0

SHA256
bca2c1c4b594558e2db244930dded427203d32b3c407ee380e18eee64bb16e89

SHA512
04df2bae5ec7952f28b89acc4d3735b4c49d3f62919ef2425e1d4f53e372a27177643367d1b9c5780dfc17668ba62df91af0b43057ce5f61783f8ecc7c8d0ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f488015d35e319e9c7c342616df71e4

SHA1
6d1e474f36f990f9f87c0e7f8e06bcae50e2a7ed

SHA256
7cb9636345ffdc31d3940fb2abcc6c2eb7853352014dc580b7c9000062aca8c9

SHA512
12c126c7b8c82446ea6dfae6fb69a4a4afdd391498ff8e273adfef2c253612502ccf59500385170f7c6ca119b738a4c108e6d5d49cc91d5ccac5024d36f03c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
408c4d25cdaeec521ba6ee2dba7aa126

SHA1
0eef77f4fc199058db6c41939e1eb9bed9899152

SHA256
fcc9bb660b59b23b4d9f6cddb88c22f5891e50b7c361222f3ee8582c3b4e2816

SHA512
3055fa94e315faa36b10054e411e667ea5aa9a0183530cd54a8b517396558b49a0829c498bc0ab90cdfc4be916a469044be7be68c8b14aa3d84880eff7964e3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7977480a6e8c04787edc17da6a90ddb4

SHA1
636b4397e34289ce4699a30f39e5de0ee0e2ed37

SHA256
8c15dc5d2ab86c9c8e9d06ab581d5fb1f9017ee6d351266a742feebf92f756ec

SHA512
0a98f7d06f1c9cac7e0ae1ac38f0c75a90d3fc01c63202b4891548a05d893482d6b1e4ffc34336b81ec99823a2388d39fa560f2098c88d922d34ee2f764e322d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6da50de8695fc24a9a0b68f680a687b5

SHA1
70be2508527768af46718fd6b4b00ac92c25a205

SHA256
ce64208a269f87a9dbc767d2d71c5a9abfe9b34e27c0d459e869fa7ba29731b2

SHA512
fb51c6c64ed40220f0eedbf1fc48410e600735b67d30cbf12680f4df74ee3cebcecfc3127654428223d099e6df1a124a259b309c7ddd889a49a554013d3436f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab462a117ba868d117b7a73865a9be67

SHA1
f55de1fa85a2d550b390d75e218c10899e872f31

SHA256
da975e1204fb5f30af53a2f6d82ad6b0830cc828e09461edcc11bac80b45c550

SHA512
3176cf3a54054751c4136794a470288ef2592d0bc7fcf3ca46ed890425d63d06fe29c4b34766388705a504c4a68e46cfd3f9e3bcff3bb8dbcdeddefc7732ffec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df5972088e3f689c5fd497093438c0c8

SHA1
ab6ce442c3fc683838f34f96b535de6e96edbd59

SHA256
cfba5cbc2b1103277d474fcaaa69eabf789ee3c138454d9a6a06ec3d8c1677b1

SHA512
ab63a27a4489740981f1b1eb5c3e9620c026da4066795ba2d8d67f49540d5c0314685bfa81c15a8f6fefdd4cc9411c7f8d65636295dc8da53fe6e32f8f2d7d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec4050d962961a501daf80451429b947

SHA1
cb792d431c59e59f54042673385bb8eb4efc4e2a

SHA256
906cf6e51b2b9d38810ed993c9fe20a4a6b549b7ea53e7fa93d914d95124624c

SHA512
728dbd186c28d4cc5d6f161e7000487f8ef1703392bd7bd7f3ddbf008bfd24ede976bbb7659eba2d0aa97eb3e5f3e5420a9c8835d82840825efd859379d20703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
310379ef5cc4899204ad20d8aab9a940

SHA1
00685b9c2d078ad0cb7dc19d3e13460c9ccc0e49

SHA256
d8048860d4842b3b5d39ba3b87870e68d55075bcac4d327569cecc5c9cba882e

SHA512
2ebbea2c9c0299ef349873ccacbe36455b7aca6ec4070c60fb5ae68ebd9d573d762ff86fc0ae2834a4eb2e88fe80d8947a47af7f4e59c24843028a217f3e2c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bb85157192da543bc495167cd9dbe0d

SHA1
c28caf6ad026de066faf2ccd2b4701c58697c2a3

SHA256
08f8c4e3a5549ad444676ce91cf30220fae56e9d98b53d12fef7aa6e337d6596

SHA512
1bf6ceccb0de1dd8a877ae8ec7a05ab97c8e3595f2eb32eb6cda259860f514bd02532d4834912bfff61cc38a6184297a05bd4360ce3ac465549a9d0837a2e130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41caee0e3846862e618c54bff9694c79

SHA1
0bc6872eb88b40adf91e09283dc9fbe15038c23f

SHA256
179dac383faeb428d6561141c05bb47ec96ab5b649bdbd0f606e64f233e2c11b

SHA512
94898e00d6e89d6ffca5c3dae0be22935fabe0909e70a22d7ae140966b69c1288f8012a7182e021afc8fe4eec2fccf92cc54ef0de1200e431e144812c623fdf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d4d84555d59701e8fd074136a279342

SHA1
ad1c3a92a02f4e624a501106a586f99a0ad5a6f4

SHA256
5454cfecc72ecc806c538c56d6e750c4593672fdc5fdc5b8fc61247ac43cfcaa

SHA512
6ac6e58b76e8cf6829d1d390e49d738a26533bdf68a6820fd2906cbeba8b42a38df2daf123b0dbfc90f49ea087a786a9d25742f9743b6ab5356d7b95b755fce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aba863c0503178cd67388cd61dbdea9

SHA1
f860bf55232cf266c9fe7999df97d69f4d759872

SHA256
45e1f7e8f1be34c7df83778a17fff65628a1d010763222ad8c84336b32415261

SHA512
329859e4a966031a5f5d255e829ec08bea53603c693e97d2a2efb57788cb5434cfc1768eaea6abf6d13788bbfe8e9b72f72ce4b890725d79e8a77c494bd01d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0551231240e3ff93327b7b00c3d2a661

SHA1
30f1668e32e638c91e095a8706b97bac2eec8a7e

SHA256
3f3a957836d94bdc1a8d0875e337fd1063bccefb6ed7289f8e98a9f58f31862f

SHA512
dc8647763b4ca693e870c8771146a0941a02d66774867c53df746f3d6e7ba3e7c7c1a323e20d1dfa78bf8b534ee04e3d34eaefed0e666e76ce43b62a78250746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22fafbb428a9b12d72c2458ffc60c442

SHA1
9da59982ab5f81fe6f8bcc66a5598b983490d946

SHA256
39142054b3af73cf03072ccebc44c572591f02b664c63ea47517144db5de7da9

SHA512
dcf9f268a314f28a1c27e6f002a07685a6697701da10d2c8579a6fc5de25db4eb4a3dacf982df0c728f265ead9f9fc78890fbcc512870eb5fcf1737ef4830723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5f764fcd458c270473df3da55b38086

SHA1
614406338ed4c385b2797c8317c5fca28b30d724

SHA256
985e5efe1dd10b3115d635dfefce3ce1cff08d9bc529bf8de3419d195d7347d7

SHA512
1932da519974d1055b94cfb64768f16ca0e49ffd0269ae962590206284b2a0ed1f87221ee8c2b27fd921df904db16d918e2a8556f7a9abcd7f017e69eb09a380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0442ecd2dacae39a21acaffe83e9b15a

SHA1
0539458dbf792ef9b805467a758b625d4aa692fe

SHA256
bb4bedf756b7f86fdcc9976092ea50d197d7f81703f3eb4fab83b35ee0245123

SHA512
899d987c15c0df0654d85962292ef4bf13d8e1ef308830935793d3ccc9f2a0ef33718e7fb123ae56dc86fb7b3f8b391e2a2b94a461fe4bd65cbccefc16f46a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf0d7015dbb209e61a25575aeb755a1

SHA1
38e6c9bacf005010fad6da279cab027582592d15

SHA256
c735f926f17b2863fad106c3ed4366fa906553e5b60c1cc6fbd29a3ca3a11d49

SHA512
914baed65321d0c99e25a57b3cca8d71ba14343319f56b4002ea2116f4eed5909765a5a6bc5a344ee59f479f167ef6a6fda5d640891b7d39f5808e9b72e6b8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2aaece55900d31ce3326da6286fc05

SHA1
cd3fb0ff851fde4e01b8a58e9ebf0375517bcf9c

SHA256
f7204cbfd7a2ed25dd3e060ff58d01d94429321e374ff56187b93253ec522d73

SHA512
7c2a57046318e75644fbd5f66b2b26a9edbc76e75b98cb0304a39fb266172f06ddafe31359536db1a39e3a4e6c54dede048940c450df62cb824369931f319e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab725.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar795.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.F2Ai

Filesize
48KB

MD5
b5000a923ddb2cf22e6a635b7ae85706

SHA1
f6724653acc074dccad7f27e938f5c13bf372682

SHA256
0ba63b5abe36ab8ef86e50e4ad69953a17bb30146c1ba1a94852ce3f1de55b3a

SHA512
e8bb0b1e2677e6fdf098ba7a953701d78b0589144eaebc9e521537eadbd78b5b33cd85c3ba13aff56486d0fe14d94c9f775363e7085b42b4b51caec5c7a070c2

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs

Filesize
185B

MD5
23e0e8c821b40253c04d561a6d06e253

SHA1
5df1808c8485ad1d90f1431adfa2694dbb1ed693

SHA256
54905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a

SHA512
87a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8

Download Submit
C:\Users\Admin\Desktop\SplitCompare.xlsx.F2Ai

Filesize
11KB

MD5
8d7cd2aa61e22ba3d7810cc68ccf909e

SHA1
773bcc154915bb29980daf654aaeb3e0bfd7900c

SHA256
59d2b333bb9cd1bf9dc1ec988ac9c3bdddfd910c25e63aa05341f14321f36b5e

SHA512
042c5450e77a6e460fee10b6c0c3f63f67c581297cae28e8203a0f78c711692a979a81322adb5207c31f1854d2a720119b5c115b86f18436a6609b3b1a31de5f

Download Submit