Analysis Overview
SHA256
a834b3d15719bbf9f0c7b5740b8a30de2eb3aee9e24598b3a30e37253e0c154e
Threat Level: Shows suspicious behavior
The file Ransomware Cyb3r Byt3s.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Enumerates connected drives
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
UPX packed file
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 12:23
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 12:23
Reported
2024-11-05 12:25
Platform
win7-20240729-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"
Network
Files
memory/2640-0-0x0000000000400000-0x00000000008A4000-memory.dmp
C:\Users\Admin\AppData\Local\Adobe\Acrobat\CyberVolk_ReadMe.txt
| MD5 | 0fc56ffcd80bb3b9c72eeeb99d089d76 |
| SHA1 | 993b8d70a51222c52893b3a9697f1a877d604b83 |
| SHA256 | 9a0b5fa8fbbe92d4e39244664eedccd3f64b5567eff3fbd0718d6ea207362b97 |
| SHA512 | f6e6a788dc0f98c609cc441c36449fbb777d3f161ac904897744a6da062ad67f616d92d98efcddde7a02c7928fe4f04495956d099dff729626cca7487fe2a469 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc
| MD5 | ff4ac919f22dd048e15c413e5f40d917 |
| SHA1 | 04c47526cd248f68346c4051ecf38de6ac2f25f9 |
| SHA256 | 15d43a835faff24585d4936d2f22cc7d93517ff9430f9d8341d6331b4a911b00 |
| SHA512 | 4b9e2fb8a9a08c6149d993a2b86b8501289a98e61439b67a4d6b6ee659d7f65974ffe95de30785d71242bce83304297a05cbf6261f4f2f8fb6c528b79890eaf4 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc
| MD5 | e97af960bd45916f7691f92c7bb2f59c |
| SHA1 | a077f3ff4402842e7f6dc7ce85cf2baf931bf898 |
| SHA256 | 1049b201dfdbceef2400aa20b7ee9f7b84b9586f2fdd0e3172d82e961e17b827 |
| SHA512 | 91c0ac2133daa8d9db2c360db47a5f95150b10730527b70c77e1cadef0ce79ac018f5c678214e00695e74025b2d0e76abd12e9bcaf6357e857668f49e8f39081 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini.cvenc
| MD5 | 5d6aad502b6c45366df5ff0c5a8259a0 |
| SHA1 | 78ee2e5803d75d34c85b29a9e8e7b050251a0821 |
| SHA256 | 69fbb37508040ec15911379eecdd25e3abccd00c4874e8432526d920fc945707 |
| SHA512 | 0caee26298b30c3fb3e09ea376adaf4a27b47a685497551c855bcc9d09ae5de0ac6e701dd704c6dc582fa3d68f73c4a744f648b84912deff6b8f185de02c5057 |
memory/2640-596-0x0000000000400000-0x00000000008A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | 1070e346072e3385c746ada030a5cc8b |
| SHA1 | ecd7f4f94a2899201487ec0dd65f5bbc98e7595e |
| SHA256 | 91450c3cbf5fa7ade212bdf33ba7ba4699f575750bfefd007971abb919826d34 |
| SHA512 | 94f152f4bb17ff88a32425f299042dd695a87865a9cad6b76de81d63837a962c77ce6355bd544af8f7c5f21e5fc9659bbe0fe06a5d467e154cd046f936b19bee |
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck.cvenc
| MD5 | 3e17ae7a36157cf7158c99cd115c3994 |
| SHA1 | 52b9c067aad28210b9fb8c40abeb277dc7edc6b6 |
| SHA256 | 59f23ce58630c59f6d074d7331137717ad70820c936075739970303b0e94733f |
| SHA512 | 2410b6dc1a6f15c1f12f601f0836134f3ec5bf3007a763f496ce31a7b19b298ed783ab18fbdec93ea85839de8367f0fb42af7d5630ebfa30f98b1e8fc098d59e |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc
| MD5 | 50aa93ab215fa426d6720114a41a2f28 |
| SHA1 | e4af363a7289d4cafe0dd76d93d9025dd337b2c4 |
| SHA256 | 8b86ea82362464768431dddb427fac824d11f496e90354dae0ae6a01db39a4b1 |
| SHA512 | 13bc31940a592b29b41da690b6e97bc6f4262abba3d59735db07a142178b733d744105c0a2b01a23cfe2fe1d714c8b520f26433073d2f2fae2991863d2b54461 |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
| MD5 | 525c26f39412bdc28c0a4595ebdd7ef8 |
| SHA1 | 221e4c94e4ba6d579d9d7cd22a4d65869d9fd35b |
| SHA256 | 9f9b021ad6f2ab61ffb41591fc17c630b1f73a44047a21f2d249fd7d5af68ed2 |
| SHA512 | 3c19a578d89f9850c351668d1f311b90bc911da1356c547a6e08dc5c55c01de4d5cfcf557a2eab5ea043d83766d30f5e0776bb331bd7b35e18c1b066cfab8a2f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 12:23
Reported
2024-11-05 12:25
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File created | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware Cyb3r Byt3s.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/1888-0-0x0000000000400000-0x00000000008A4000-memory.dmp
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt
| MD5 | 0fc56ffcd80bb3b9c72eeeb99d089d76 |
| SHA1 | 993b8d70a51222c52893b3a9697f1a877d604b83 |
| SHA256 | 9a0b5fa8fbbe92d4e39244664eedccd3f64b5567eff3fbd0718d6ea207362b97 |
| SHA512 | f6e6a788dc0f98c609cc441c36449fbb777d3f161ac904897744a6da062ad67f616d92d98efcddde7a02c7928fe4f04495956d099dff729626cca7487fe2a469 |
memory/1888-428-0x0000000000400000-0x00000000008A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc
| MD5 | 19a8ab80397d62c49806345dfe68c77e |
| SHA1 | 1007b54da8c85d696e457333717904fbda6935c9 |
| SHA256 | d42546eb8cec8223174cd04217ebccf41d5db319ffcefb88267896f15efb3c23 |
| SHA512 | 342ebd7dc86179a8c74a0876d6da19318915e813a66f69b56059b986ba08e70a8692657d187c65f8130084f4c16008df36507b5a226c4c65cb7d3ed18a15e130 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\MANIFEST-000001.cvenc
| MD5 | c81270a824c3d3308aff717555d09697 |
| SHA1 | ef55d4416b67a2ff4be5d91a691d623f0e68a9ed |
| SHA256 | 2f73d78234802c7a768f31c7cbdeaccf8a1fcb4023b08841cf6115839af0a1ad |
| SHA512 | 972d08cfbefc10d7c13b88fdc3f1fac36159d0ecd11c11b9d6c6b2a9960c09fcb52785d7da8b7c574a04a00081022c413c6efedc0f5be2da7376dd546798b280 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msotd_exe_15.cvenc
| MD5 | 8e5e45951253610c1166cdd52959b99a |
| SHA1 | 064b8bbfdddb56f7de87d18dd11d6a2035f2d5f7 |
| SHA256 | f6da823951f54185fc02e6a7d90455dad6ca059c422759fae139d623e909e596 |
| SHA512 | 6887601019a538eb41a576a4306078894117b66aceda53bac0746365630c3c7d32dad27509b26d6efdaa9233499c34eabe45f77ad2bc6cf9aae4532a219aea6d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.cvenc
| MD5 | 502124f5cbcc1857364d4d985307181d |
| SHA1 | 4c7c350bb1c92760e28c0cf58f0dfa8c4dc220f5 |
| SHA256 | dc8a40b458314d1fd317af20346f455ff226324c893147a85cccac5d66aacbc8 |
| SHA512 | 3153dbd6d04d6d79be9715d44375c1c2d5730c1e4b31fe9e7033a67bbf0d33b5b3c3c34d5148adc20bfcd41b6371b9fab582df8432da98975110a2cf225b65f0 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658826891613.txt.cvenc
| MD5 | c6132e519e163726dbbfda086d031644 |
| SHA1 | 11def520af96c514a297459fda7dfa64606dca21 |
| SHA256 | 101d74c6de8bb512832a62fd782fa53a44a368c7e37c07f10a38308cd6485dd6 |
| SHA512 | cbc97f391e9a303f68ba92f8f2ae71a248c0d3725590ab0a6008ce8a455e6f32a9fbc87c2257018edddef6b68a5bdb65bfd4c8f89c5504e88af9efd11972b8c8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt.cvenc
| MD5 | ca40402acb7f01d9d9d6521e150f6dc0 |
| SHA1 | ad111b047d254f762c6142b1c1ae9511a23a3caf |
| SHA256 | b8d2f4a7d68cfbc1b8a3cee44a471671cff0b9577809486333539401d28be1a2 |
| SHA512 | 6930179b3dd1164d1081ea2bed53473d111d8d50aa36567cf41d4214dbf0fc06f0581e5466e3cae683783e3c7e4ec1d1636985f5efca5484d9b6a6d853bbcc96 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666145703406.txt.cvenc
| MD5 | 6dc82b1a3ba99df05f10bf1dcd3c15ce |
| SHA1 | d9b0ed77a873e946f015b043f3efeb1a15fc6df7 |
| SHA256 | f0a2bfda46eb97f8da691fc1b09e81ea364d255de37aafa654ee168635ca6e30 |
| SHA512 | 50a6993fe576137a4387ce66692b839931f562c033b822e0a04f421a8fd4e57d42e633fa38ad86f93b53cd7cc08557a984b2dbac025563c6f5950a2376a39f9f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | df3cbbe92a7ab2fe237a40afc369d4fc |
| SHA1 | a11e49dd31d971ece504f58335567b4fdb2fde64 |
| SHA256 | 271f7ff6e72441deb810a5481d8286a5938c3319c19cf8736ce69b62e6526b03 |
| SHA512 | 855e8da1e75aa02c75cdc7fbea658686a8cf05d9794ca02f45a5d57875d4b58aefd5eddc273f6e3ee679c0a07900a449a5dfcc79396ba0289994874010fd9b9d |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 06d25652fd4d2f202bff043f7ae5c504 |
| SHA1 | f5b87f13df16e1681de41f62ae871fa09f31fbb7 |
| SHA256 | ca1b7797566e850c3e583a2fbda610a51d5504ca9b0d611a0a3e2770c912d52d |
| SHA512 | 2e163503f90bac259177ef629f0d59ee990d875d39b5556c76acee45ff2050d1f4b14922ebbd475d4cfc8693d2b9515902a2ee44031f2c98b472992c2ccdf2db |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7ce5417e80aef872ba20917011e39416 |
| SHA1 | 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c |
| SHA256 | 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8 |
| SHA512 | b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7bf023ca6853abd395cab03f83945d24 |
| SHA1 | d3aa95e00bcefca65d121709dddb12c213b32fc1 |
| SHA256 | 5a703f620dbab029a3ac801c3fc85ef4327a5f0a751b852f650bf14b9b44459b |
| SHA512 | 653e70bfdb9cb9b69d577710c09032bd2a9658d0e23cba214970232f6a6cc0538b54d0b946c026cf2af87a12672d6d65074d6fc196778aac828ec57f1c88b03a |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | db9488b8bd624473f2001f5ca6a1551e |
| SHA1 | 7dc1e1a4c76403b5404918eeca098b12f11f7596 |
| SHA256 | 45c08529fc638c300feeb27a726d997626694ac3793087acc34e51f0a6e170e8 |
| SHA512 | 2d65e85357dc5a292a7969581ca95ad8551b476501b3311065b29fca333addb2f4d5330720de52196bdf7b6d35a8ed562f43c4091eeb783d2b82eb26decfe445 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 619d6b6bff9a5152560ae73fb2264006 |
| SHA1 | 791d6736d22916e74b5f4c1e486aafb9fccb20be |
| SHA256 | 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79 |
| SHA512 | d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 81b69a02d9469be08c2426117991d9f0 |
| SHA1 | c3ab5823761fe40d6dcd0a01bf4f0a944fa0b628 |
| SHA256 | d6e1d9c927753981079ade4b46eb23e9179b89e3b13f06f025b3a798d63b6c0f |
| SHA512 | 3e3f7b87217408d6910deb23acbf0ca9246f7bbd61ec0686b1d12a4e4c66795a89886764df8962ce9e3f5d90347614d7883ea60f314be15e34b292ccf808746b |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a52357f1ce8160dee6563b6a3391ffa8 |
| SHA1 | b73819a7e2227bda306f42ddd029c72406b1f55a |
| SHA256 | bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c |
| SHA512 | 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
| MD5 | b8a0c4f9a943ea26f14e68ce4aee0a59 |
| SHA1 | 756b13d2a804046981d139bed9d2b703f98b98e0 |
| SHA256 | 6d599cb583bc879258bb4b796d4d489882a2a8f17cd025b8c438ddf3a3530164 |
| SHA512 | a1cf6db8d477fa863759953f6d2ab27a19366e0872fa7544ad8f347f3b3bff4550654973dbca01f0164b29792e26e6a17b2d877469bf57888bd3907d6fb8c6a5 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a0179641d667ce21172c78e960b3a1ef |
| SHA1 | 4c3d20191d29ddbbcc3c73657ab4c2781f049b98 |
| SHA256 | 4433080be68eabdd338bda9c8c30bee3fc1f696b6212f13bcb77721e1d738c7a |
| SHA512 | a9c4d7baed7afe634341b14f6bd9de0751940768c260efb8be75cde6c1507c899da7aa677235363afe972cfcac9626b43d9b0ba142bcccf1c93ebeb8be87006b |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 9184a041ce18953012722dcfa9052c39 |
| SHA1 | b66f41c59f284077ff3722b06f0da23661adc6d5 |
| SHA256 | 2beac637f987eff79344e5b9b32dd390cb92b9925dcf0a47b94c436b300efec5 |
| SHA512 | 50b103df02a3a96f9cd01317fd821d2cf7faeb6b3b918ad87c47ae1952ebcea91cda7ea82ec43aabf7703f56baa39ab88fa65c12ceee7926541d2fae87ad1d35 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d8ac3b01ba19729174a8f1e63c9e937c |
| SHA1 | e40192d86760273f0f1f13bfe0609f2ce38fb56d |
| SHA256 | a5f6e28cca214fb60a873fd4b27ea02bbef08b5bde05f4ba831b790a54a2435c |
| SHA512 | cea558fdb51a2a7d85758b01c834896f49849cd7b018a5080c6213a60e94e89d70b0d92e466e2844828aa6566115ba6e21a6d69d833186a6699d45dc7bb6c9ca |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a25328715ddbaafaf2a70718e94220ac |
| SHA1 | 33d2f3fdaa0ab606148902ec6ddc94c340393423 |
| SHA256 | f2b2d2b023f71e791c2644201fa62b2dcf6c78d7402d774a552d5b7b20f02ad3 |
| SHA512 | 13269781e22ef427cddd6aa2813993b044b7061048657c33da449bebdb77f4d23dc4a525c4b024ce9a54ca0d8a2b45c941309c3c90bc90b88406ca6050269254 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d450f01b90e9cfa5848596f1e6457c17 |
| SHA1 | 83d1c2d23075b1bd21d8a57d0a9ad7480e7e7234 |
| SHA256 | 78ef135cef6cb29d44b91beb545a2a78dbdbc0a981735bad98640318a1b80b9b |
| SHA512 | 515ade2b324a6a287157d5b0b0ca075df8edad201ec3d227e0adb4c4fd6c0b4ace77d6963556f19d825670f2c2aac04e36a462873742c5c2413b9892f6aa3aa0 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | c8997cb7eaa2a24c8344695c19dd1f92 |
| SHA1 | ebdc14bc4955b5bf54242dbe94b8a68ccad1ce7b |
| SHA256 | ac1864880bb4bc57a3c079c00e5c104d68c0cb1164f93abcfdad0059806a3c6d |
| SHA512 | 17f98596c100a69601bd79799378fb545919ef2dc8ef8a3c5d2220f5b460c215adcb9c676e7e054d0006301fe15f9bbd0a99f714b1dfdb78ad8ebd734da1e5a3 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 1221132d8390ea66832cf2eabd8eb668 |
| SHA1 | 2e79360c33912d132e7a96d1a9ca018cdf675ca9 |
| SHA256 | 2a50ac545f30b02200c4f18f694ce7e0ce691e9f509c38d8beebf3b4dd046b53 |
| SHA512 | b15e496fcedc0a6cdba00039fdd241047539de119ea06eea00994450a8325da09318b2c21f5d173484c600c7e301eac43031efdde5485cfdd91b18508acfa800 |