Malware Analysis Report

2025-06-16 00:52

Sample ID 241105-pkgjns1brg
Target Ransomware Cyb3r Byt3s.exe
SHA256 a834b3d15719bbf9f0c7b5740b8a30de2eb3aee9e24598b3a30e37253e0c154e
Tags
upx credential_access discovery ransomware spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a834b3d15719bbf9f0c7b5740b8a30de2eb3aee9e24598b3a30e37253e0c154e

Threat Level: Shows suspicious behavior

The file Ransomware Cyb3r Byt3s.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx credential_access discovery ransomware spyware stealer

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

UPX packed file

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 12:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 12:23

Reported

2024-11-05 12:25

Platform

win7-20240729-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"

Network

N/A

Files

memory/2640-0-0x0000000000400000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Local\Adobe\Acrobat\CyberVolk_ReadMe.txt

MD5 0fc56ffcd80bb3b9c72eeeb99d089d76
SHA1 993b8d70a51222c52893b3a9697f1a877d604b83
SHA256 9a0b5fa8fbbe92d4e39244664eedccd3f64b5567eff3fbd0718d6ea207362b97
SHA512 f6e6a788dc0f98c609cc441c36449fbb777d3f161ac904897744a6da062ad67f616d92d98efcddde7a02c7928fe4f04495956d099dff729626cca7487fe2a469

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

MD5 ff4ac919f22dd048e15c413e5f40d917
SHA1 04c47526cd248f68346c4051ecf38de6ac2f25f9
SHA256 15d43a835faff24585d4936d2f22cc7d93517ff9430f9d8341d6331b4a911b00
SHA512 4b9e2fb8a9a08c6149d993a2b86b8501289a98e61439b67a4d6b6ee659d7f65974ffe95de30785d71242bce83304297a05cbf6261f4f2f8fb6c528b79890eaf4

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc

MD5 e97af960bd45916f7691f92c7bb2f59c
SHA1 a077f3ff4402842e7f6dc7ce85cf2baf931bf898
SHA256 1049b201dfdbceef2400aa20b7ee9f7b84b9586f2fdd0e3172d82e961e17b827
SHA512 91c0ac2133daa8d9db2c360db47a5f95150b10730527b70c77e1cadef0ce79ac018f5c678214e00695e74025b2d0e76abd12e9bcaf6357e857668f49e8f39081

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini.cvenc

MD5 5d6aad502b6c45366df5ff0c5a8259a0
SHA1 78ee2e5803d75d34c85b29a9e8e7b050251a0821
SHA256 69fbb37508040ec15911379eecdd25e3abccd00c4874e8432526d920fc945707
SHA512 0caee26298b30c3fb3e09ea376adaf4a27b47a685497551c855bcc9d09ae5de0ac6e701dd704c6dc582fa3d68f73c4a744f648b84912deff6b8f185de02c5057

memory/2640-596-0x0000000000400000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 1070e346072e3385c746ada030a5cc8b
SHA1 ecd7f4f94a2899201487ec0dd65f5bbc98e7595e
SHA256 91450c3cbf5fa7ade212bdf33ba7ba4699f575750bfefd007971abb919826d34
SHA512 94f152f4bb17ff88a32425f299042dd695a87865a9cad6b76de81d63837a962c77ce6355bd544af8f7c5f21e5fc9659bbe0fe06a5d467e154cd046f936b19bee

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck.cvenc

MD5 3e17ae7a36157cf7158c99cd115c3994
SHA1 52b9c067aad28210b9fb8c40abeb277dc7edc6b6
SHA256 59f23ce58630c59f6d074d7331137717ad70820c936075739970303b0e94733f
SHA512 2410b6dc1a6f15c1f12f601f0836134f3ec5bf3007a763f496ce31a7b19b298ed783ab18fbdec93ea85839de8367f0fb42af7d5630ebfa30f98b1e8fc098d59e

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc

MD5 50aa93ab215fa426d6720114a41a2f28
SHA1 e4af363a7289d4cafe0dd76d93d9025dd337b2c4
SHA256 8b86ea82362464768431dddb427fac824d11f496e90354dae0ae6a01db39a4b1
SHA512 13bc31940a592b29b41da690b6e97bc6f4262abba3d59735db07a142178b733d744105c0a2b01a23cfe2fe1d714c8b520f26433073d2f2fae2991863d2b54461

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc

MD5 525c26f39412bdc28c0a4595ebdd7ef8
SHA1 221e4c94e4ba6d579d9d7cd22a4d65869d9fd35b
SHA256 9f9b021ad6f2ab61ffb41591fc17c630b1f73a44047a21f2d249fd7d5af68ed2
SHA512 3c19a578d89f9850c351668d1f311b90bc911da1356c547a6e08dc5c55c01de4d5cfcf557a2eab5ea043d83766d30f5e0776bb331bd7b35e18c1b066cfab8a2f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 12:23

Reported

2024-11-05 12:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/1888-0-0x0000000000400000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

MD5 0fc56ffcd80bb3b9c72eeeb99d089d76
SHA1 993b8d70a51222c52893b3a9697f1a877d604b83
SHA256 9a0b5fa8fbbe92d4e39244664eedccd3f64b5567eff3fbd0718d6ea207362b97
SHA512 f6e6a788dc0f98c609cc441c36449fbb777d3f161ac904897744a6da062ad67f616d92d98efcddde7a02c7928fe4f04495956d099dff729626cca7487fe2a469

memory/1888-428-0x0000000000400000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

MD5 19a8ab80397d62c49806345dfe68c77e
SHA1 1007b54da8c85d696e457333717904fbda6935c9
SHA256 d42546eb8cec8223174cd04217ebccf41d5db319ffcefb88267896f15efb3c23
SHA512 342ebd7dc86179a8c74a0876d6da19318915e813a66f69b56059b986ba08e70a8692657d187c65f8130084f4c16008df36507b5a226c4c65cb7d3ed18a15e130

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\MANIFEST-000001.cvenc

MD5 c81270a824c3d3308aff717555d09697
SHA1 ef55d4416b67a2ff4be5d91a691d623f0e68a9ed
SHA256 2f73d78234802c7a768f31c7cbdeaccf8a1fcb4023b08841cf6115839af0a1ad
SHA512 972d08cfbefc10d7c13b88fdc3f1fac36159d0ecd11c11b9d6c6b2a9960c09fcb52785d7da8b7c574a04a00081022c413c6efedc0f5be2da7376dd546798b280

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msotd_exe_15.cvenc

MD5 8e5e45951253610c1166cdd52959b99a
SHA1 064b8bbfdddb56f7de87d18dd11d6a2035f2d5f7
SHA256 f6da823951f54185fc02e6a7d90455dad6ca059c422759fae139d623e909e596
SHA512 6887601019a538eb41a576a4306078894117b66aceda53bac0746365630c3c7d32dad27509b26d6efdaa9233499c34eabe45f77ad2bc6cf9aae4532a219aea6d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.cvenc

MD5 502124f5cbcc1857364d4d985307181d
SHA1 4c7c350bb1c92760e28c0cf58f0dfa8c4dc220f5
SHA256 dc8a40b458314d1fd317af20346f455ff226324c893147a85cccac5d66aacbc8
SHA512 3153dbd6d04d6d79be9715d44375c1c2d5730c1e4b31fe9e7033a67bbf0d33b5b3c3c34d5148adc20bfcd41b6371b9fab582df8432da98975110a2cf225b65f0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658826891613.txt.cvenc

MD5 c6132e519e163726dbbfda086d031644
SHA1 11def520af96c514a297459fda7dfa64606dca21
SHA256 101d74c6de8bb512832a62fd782fa53a44a368c7e37c07f10a38308cd6485dd6
SHA512 cbc97f391e9a303f68ba92f8f2ae71a248c0d3725590ab0a6008ce8a455e6f32a9fbc87c2257018edddef6b68a5bdb65bfd4c8f89c5504e88af9efd11972b8c8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt.cvenc

MD5 ca40402acb7f01d9d9d6521e150f6dc0
SHA1 ad111b047d254f762c6142b1c1ae9511a23a3caf
SHA256 b8d2f4a7d68cfbc1b8a3cee44a471671cff0b9577809486333539401d28be1a2
SHA512 6930179b3dd1164d1081ea2bed53473d111d8d50aa36567cf41d4214dbf0fc06f0581e5466e3cae683783e3c7e4ec1d1636985f5efca5484d9b6a6d853bbcc96

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666145703406.txt.cvenc

MD5 6dc82b1a3ba99df05f10bf1dcd3c15ce
SHA1 d9b0ed77a873e946f015b043f3efeb1a15fc6df7
SHA256 f0a2bfda46eb97f8da691fc1b09e81ea364d255de37aafa654ee168635ca6e30
SHA512 50a6993fe576137a4387ce66692b839931f562c033b822e0a04f421a8fd4e57d42e633fa38ad86f93b53cd7cc08557a984b2dbac025563c6f5950a2376a39f9f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 df3cbbe92a7ab2fe237a40afc369d4fc
SHA1 a11e49dd31d971ece504f58335567b4fdb2fde64
SHA256 271f7ff6e72441deb810a5481d8286a5938c3319c19cf8736ce69b62e6526b03
SHA512 855e8da1e75aa02c75cdc7fbea658686a8cf05d9794ca02f45a5d57875d4b58aefd5eddc273f6e3ee679c0a07900a449a5dfcc79396ba0289994874010fd9b9d

C:\Users\Admin\AppData\Roaming\time.dat

MD5 06d25652fd4d2f202bff043f7ae5c504
SHA1 f5b87f13df16e1681de41f62ae871fa09f31fbb7
SHA256 ca1b7797566e850c3e583a2fbda610a51d5504ca9b0d611a0a3e2770c912d52d
SHA512 2e163503f90bac259177ef629f0d59ee990d875d39b5556c76acee45ff2050d1f4b14922ebbd475d4cfc8693d2b9515902a2ee44031f2c98b472992c2ccdf2db

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7ce5417e80aef872ba20917011e39416
SHA1 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c
SHA256 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8
SHA512 b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7bf023ca6853abd395cab03f83945d24
SHA1 d3aa95e00bcefca65d121709dddb12c213b32fc1
SHA256 5a703f620dbab029a3ac801c3fc85ef4327a5f0a751b852f650bf14b9b44459b
SHA512 653e70bfdb9cb9b69d577710c09032bd2a9658d0e23cba214970232f6a6cc0538b54d0b946c026cf2af87a12672d6d65074d6fc196778aac828ec57f1c88b03a

C:\Users\Admin\AppData\Roaming\time.dat

MD5 db9488b8bd624473f2001f5ca6a1551e
SHA1 7dc1e1a4c76403b5404918eeca098b12f11f7596
SHA256 45c08529fc638c300feeb27a726d997626694ac3793087acc34e51f0a6e170e8
SHA512 2d65e85357dc5a292a7969581ca95ad8551b476501b3311065b29fca333addb2f4d5330720de52196bdf7b6d35a8ed562f43c4091eeb783d2b82eb26decfe445

C:\Users\Admin\AppData\Roaming\time.dat

MD5 619d6b6bff9a5152560ae73fb2264006
SHA1 791d6736d22916e74b5f4c1e486aafb9fccb20be
SHA256 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79
SHA512 d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5

C:\Users\Admin\AppData\Roaming\time.dat

MD5 81b69a02d9469be08c2426117991d9f0
SHA1 c3ab5823761fe40d6dcd0a01bf4f0a944fa0b628
SHA256 d6e1d9c927753981079ade4b46eb23e9179b89e3b13f06f025b3a798d63b6c0f
SHA512 3e3f7b87217408d6910deb23acbf0ca9246f7bbd61ec0686b1d12a4e4c66795a89886764df8962ce9e3f5d90347614d7883ea60f314be15e34b292ccf808746b

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a52357f1ce8160dee6563b6a3391ffa8
SHA1 b73819a7e2227bda306f42ddd029c72406b1f55a
SHA256 bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c
SHA512 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc

MD5 b8a0c4f9a943ea26f14e68ce4aee0a59
SHA1 756b13d2a804046981d139bed9d2b703f98b98e0
SHA256 6d599cb583bc879258bb4b796d4d489882a2a8f17cd025b8c438ddf3a3530164
SHA512 a1cf6db8d477fa863759953f6d2ab27a19366e0872fa7544ad8f347f3b3bff4550654973dbca01f0164b29792e26e6a17b2d877469bf57888bd3907d6fb8c6a5

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a0179641d667ce21172c78e960b3a1ef
SHA1 4c3d20191d29ddbbcc3c73657ab4c2781f049b98
SHA256 4433080be68eabdd338bda9c8c30bee3fc1f696b6212f13bcb77721e1d738c7a
SHA512 a9c4d7baed7afe634341b14f6bd9de0751940768c260efb8be75cde6c1507c899da7aa677235363afe972cfcac9626b43d9b0ba142bcccf1c93ebeb8be87006b

C:\Users\Admin\AppData\Roaming\time.dat

MD5 9184a041ce18953012722dcfa9052c39
SHA1 b66f41c59f284077ff3722b06f0da23661adc6d5
SHA256 2beac637f987eff79344e5b9b32dd390cb92b9925dcf0a47b94c436b300efec5
SHA512 50b103df02a3a96f9cd01317fd821d2cf7faeb6b3b918ad87c47ae1952ebcea91cda7ea82ec43aabf7703f56baa39ab88fa65c12ceee7926541d2fae87ad1d35

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d8ac3b01ba19729174a8f1e63c9e937c
SHA1 e40192d86760273f0f1f13bfe0609f2ce38fb56d
SHA256 a5f6e28cca214fb60a873fd4b27ea02bbef08b5bde05f4ba831b790a54a2435c
SHA512 cea558fdb51a2a7d85758b01c834896f49849cd7b018a5080c6213a60e94e89d70b0d92e466e2844828aa6566115ba6e21a6d69d833186a6699d45dc7bb6c9ca

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a25328715ddbaafaf2a70718e94220ac
SHA1 33d2f3fdaa0ab606148902ec6ddc94c340393423
SHA256 f2b2d2b023f71e791c2644201fa62b2dcf6c78d7402d774a552d5b7b20f02ad3
SHA512 13269781e22ef427cddd6aa2813993b044b7061048657c33da449bebdb77f4d23dc4a525c4b024ce9a54ca0d8a2b45c941309c3c90bc90b88406ca6050269254

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d450f01b90e9cfa5848596f1e6457c17
SHA1 83d1c2d23075b1bd21d8a57d0a9ad7480e7e7234
SHA256 78ef135cef6cb29d44b91beb545a2a78dbdbc0a981735bad98640318a1b80b9b
SHA512 515ade2b324a6a287157d5b0b0ca075df8edad201ec3d227e0adb4c4fd6c0b4ace77d6963556f19d825670f2c2aac04e36a462873742c5c2413b9892f6aa3aa0

C:\Users\Admin\AppData\Roaming\time.dat

MD5 c8997cb7eaa2a24c8344695c19dd1f92
SHA1 ebdc14bc4955b5bf54242dbe94b8a68ccad1ce7b
SHA256 ac1864880bb4bc57a3c079c00e5c104d68c0cb1164f93abcfdad0059806a3c6d
SHA512 17f98596c100a69601bd79799378fb545919ef2dc8ef8a3c5d2220f5b460c215adcb9c676e7e054d0006301fe15f9bbd0a99f714b1dfdb78ad8ebd734da1e5a3

C:\Users\Admin\AppData\Roaming\time.dat

MD5 1221132d8390ea66832cf2eabd8eb668
SHA1 2e79360c33912d132e7a96d1a9ca018cdf675ca9
SHA256 2a50ac545f30b02200c4f18f694ce7e0ce691e9f509c38d8beebf3b4dd046b53
SHA512 b15e496fcedc0a6cdba00039fdd241047539de119ea06eea00994450a8325da09318b2c21f5d173484c600c7e301eac43031efdde5485cfdd91b18508acfa800