Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-h9bw6asry7
Target 439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d.zip
SHA256 439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d
Tags
credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d

Threat Level: Known bad

The file 439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d.zip was found to be: Known bad.

Malicious Activity Summary

credential_access discovery ransomware spyware stealer

Renames multiple (2710) files with added filename extension

Renames multiple (2895) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:25

Reported

2025-07-01 07:28

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4460-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 07:25

Reported

2025-07-01 07:28

Platform

win11-20250610-en

Max time kernel

40s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Network

Files

memory/4592-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-01 07:25

Reported

2025-07-01 07:28

Platform

win10v2004-20250619-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Signatures

Renames multiple (2710) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-4144907350-1836498122-2806216936-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\CyberVolk_ReadMe.txt

MD5 ce7ff0a9361571a2dcb08f50500ace3f
SHA1 5d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512 bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.cvenc

MD5 4eb699031648790022dbd774a91dbd01
SHA1 696a1893af7dcd8535ea3f50d4f68cd6c952032f
SHA256 b8a5804e43257364283577116ea29d5414efdd2ac5c6e307f1474792374e4805
SHA512 54851b41460fea480727b5164c833adad3cd42328e16ef01290180481587b4a1eb25463cf9507947b725d2e0862cd520b718f1a1cfa5259e05515c65448af7eb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.cvenc

MD5 fce09ddd3667c50e37d17f53a29fd585
SHA1 0b5fc64536f2d0e2ccba96d0be05212651b7243c
SHA256 fd3f400d46c186af798c3e8b5f782596da3bd4d7a71031bacad1ebc370cfb604
SHA512 d1ea969b8cc831b11a511f17fc1fb187d653dd95343aaaf3a3389ea17f9a544eedcf437f1e9af47e9b51908be93c06da6b2072e7b669a5f01ff252db849655a1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948122616068753.txt.cvenc

MD5 1611e9f14c4e87041be6a76e7832fdf8
SHA1 c7d8a510915d6faa1718a3875a455419d0df447b
SHA256 bcbf5e0cfa3146e70c935ea4c8f01b434aa28fe2bb329eea05f107078c1dabb3
SHA512 2867921c9b2b0f7deac26a875d20a5d67a6efb1e13cb06241966423666480ad20971c722efb8be2fe6fec2cc3acfd484d941078646d34670f67a5078272942c4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948128344759353.txt.cvenc

MD5 c2b70fadc7b60df1c064ceb54ab47100
SHA1 24bcc22505e50148cc5f1c47141eae5d887db4ab
SHA256 43b199de9d3b230f8b0396c4e8da0cf7f3f7f068a8d02d2c6d3d94a5020d783e
SHA512 2385ddabc964557c6812ccab5aba0b815449dffa011d479bbb3d6a4be3a4bf01c83ac383e321705fbdc745b98ceed63f96905369558844b0ab91f7ada5cacf72

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948130976112793.txt.cvenc

MD5 861dea94aa2b1f2b6198d4790c097885
SHA1 9d0533a6b439f92ffc1124567f1527e5c99f8596
SHA256 8367ac3016781e4e896b0913842a2be56f752a8fa7d2dfb1aea0d04f01881ae8
SHA512 2f7788188358ffe3a49bc3aa26e6f5983072f3cd30b499ec07c6b452af1fdccb133c019c2ef219b1349d5c687a76ba9311252f185a2a516ea7382e68bc1f53ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 623b5cd467e775f3c57ad7a1f8c3966b
SHA1 912eab8b73c9e7488cb3f0f5041224d200cded61
SHA256 cfb49483e924170d762f99f5fd3291a8ad11575c49e50aabe9b5531da364b0b8
SHA512 3be7a4c769ed76a72f6b3a86d43e4cb88ddc12e9eb6d058ff17596ffa12e0ba326db7296e3fbf904a7511a616027f98d715e30e74e2a74d2778e8d07611ce77a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.cvenc

MD5 f78a1026377da40cbdace79d3e092901
SHA1 23f656c9d110b838ef807c21e9a0aee9b13f6875
SHA256 b93417e08868e27bc96df04521641a47b7cff62a322a4e18481381773304ec79
SHA512 4012eac19a8c1ea7b7a5485db33b1f44053dab71aaaf98c324b8d08c2504437eaccfab5723b234ab54a397b9c689fb997850688c3563e56594b3cb7f6170b31a

C:\Users\Admin\AppData\Roaming\time.dat

MD5 e36c72761b575374e7d7e63a0333d93f
SHA1 01b61b9ddd5632f78edb1bc40fdfa6d6aada083f
SHA256 2fa8eba4e72866823c3e963389d1d3a58d1bf10b6bb427b384b914a3629af429
SHA512 12e4fad54c218b0cc59fc1643ef6af1c8c08a74a05f89fc10c9cea53969aad214711086578efa1922c72bdf375cb5753a97fd98bf9bcebd86190a6e9b7b44550

C:\Users\Admin\AppData\Roaming\time.dat

MD5 2389ceb16e2cc3941618a5f9055840d0
SHA1 c23244a0b6511bea9cc7732b954a94b187454f3f
SHA256 8c496c831c776415f7491e6de8457bb88c62eefeff270c8e0dbec39b78b9413d
SHA512 de891c5d63059b4cb6bf4f7fa32b30a474209512f5a7297a920ef4ac9b42bbbd67a73054fd6b85533ebbc9f630262a67ae390e0347597be25399d58aede643c3

C:\Users\Admin\AppData\Roaming\time.dat

MD5 509421719867b607d48a0a1b0ae35c89
SHA1 d94181ed6be56c0a99e749b0527704a9f1b35d1f
SHA256 75de81c20d6f96afffc7becf1d76612842635a9c70167b482e233540738a97e5
SHA512 11979eaeb9b486f274b8f8112cc3ccac92830b5a6d1e2fa2218c85c89b72a67a380262665aa2329770116e691e885e127003be8c598111149249209cc23553e0

C:\Users\Admin\AppData\Roaming\time.dat

MD5 6878fea7a98cb41194729e55ee5cea46
SHA1 0c6c7f2b1b7e4da539623a8f0fb7012e2ea468d5
SHA256 bc62c7cd2cb19dae74f15b14964b6eb3942104662a21d5ba91eac861ea67bbe2
SHA512 cd45971f2646a7fc29262659245a1da2b5fed56ff38b60c6820f36eade7a6b57588ff82472e1eff92e02b33199a4c6af96e65b69fd9b51eaaa4172bbaa5f1874

C:\Users\Admin\AppData\Roaming\time.dat

MD5 e58e3a33512dd5cbb9e07daa9cca8d19
SHA1 7cf3a0ae11d0f3ff28ae51a20eb398053587e6a7
SHA256 d0653fe8530d7c8e76243fe8c3fadaab5d9f82833de425d7470fe3076b6a9e3a
SHA512 8e0fdb1ca63cfb3fa3da85152aa1d0ff173d6421a13a121aa7b1adcd2c629a236273f2e82e19049317fa7338182de8fc36e3f96284176a267ca17fe8ee66559f

C:\Users\Admin\AppData\Roaming\time.dat

MD5 c67c47db7c62cf7d1cb62bc14e4c71c6
SHA1 227faf3bc48b87a8745ffcff09e97093812dff70
SHA256 a5cbc7664ddb2af6fbcdae5b4477be47e3b3ebdf327bd9626ee1a972eab6fb26
SHA512 37058f98ba895613a259bbad45cb3be3db68684a6f01d75f14d20d464c081e4878632dcc8a20667993bb4bcd648425ff867a2f58042d5441403d768dfc54e28f

C:\Users\Admin\AppData\Roaming\time.dat

MD5 619d6b6bff9a5152560ae73fb2264006
SHA1 791d6736d22916e74b5f4c1e486aafb9fccb20be
SHA256 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79
SHA512 d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5

C:\Users\Admin\AppData\Roaming\time.dat

MD5 942d56c3022c0cbed8b956292110a54f
SHA1 9d90ff42c13e1a1159651e7103812fd3eddec3b1
SHA256 155464e7a35faffd6b3b4f2e6b757098204e8a24221641b58ee8156acfd2e1fc
SHA512 62f13178aa3f33ba1410a6005b4d592f98438523b3e47cac35fb94da07bedc4a5c3ab4ee65f6419005835cfd635004445b671dc904ddb387afd8b2a851428a66

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.cvenc

MD5 3536836727833db6cb4c9c2228c7a1ef
SHA1 87dbfa7caa40738be50718331c72181ea2447513
SHA256 5e7bcd0a6c8dee49fae4463665b489bf9f510d9fa2babba01fa581ebf6ddc188
SHA512 469bf51e68b021a1f19665270c433a86dfc69f38dda676c247cad14f6840f5798a23ba3d7ce8855ab3981644e7793464b9a69cec625f0c572f4169d366de0356

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a52357f1ce8160dee6563b6a3391ffa8
SHA1 b73819a7e2227bda306f42ddd029c72406b1f55a
SHA256 bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c
SHA512 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db

C:\Users\Admin\AppData\Roaming\time.dat

MD5 70625b0985a7b4378d1aa0077176dc3a
SHA1 35710ebc51a11f6d2147aa31501bf8e54ef4b68e
SHA256 fd3422d11e9fdacf030f74df8a97aef973337371c49d6746fa29e06a4e54888b
SHA512 b45318d77adb8bd37d6b39b6e876b65e6fd8b74f06c773b73cd31a3b5df927dec02170789f0000c63f637d85e51212135f27ca3f06e7cea707dd21357f737d58

C:\Users\Admin\AppData\Roaming\time.dat

MD5 4a90df0803c61aab5c319444f910371b
SHA1 ec20ef7d365ac361b3a7970d329d9b4e93d67f40
SHA256 5cf32f9151895f7869e8af1d91c81444a0d3157ad5f4484dcbcab8a29d6bc6ac
SHA512 f434f0cf630953e364a1f9706e10dc0519ae09bee281d5efd9288b307233ebb006c004c6f2d54044487f5bd1628dd9130616a82d585bef4edc13f6a752f84519

C:\Users\Admin\AppData\Roaming\time.dat

MD5 eb4ab9e8db10f6fd9c9a5085f3a75fdd
SHA1 cababf2bea2f1f0fb553b9d65dc2cde33a225489
SHA256 e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6
SHA512 ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70

C:\Users\Admin\AppData\Roaming\time.dat

MD5 3de50263500e3421017469e47e8dd36e
SHA1 8c27afff5097d219658bc9b81db313e5d7b0fde1
SHA256 8544b9f0f260994269b6b0ddc1163e264892fcc918340a09d317716bf1256f5c
SHA512 45c677ff4c803d5894450d12f9cb266cbaee081e39d7d5d41e2975f1e65a706f57791210299bd46af46b317ae5c38de62e64644ab5bbbe8994e6d2f33666c2ad

C:\Users\Admin\AppData\Roaming\time.dat

MD5 80789d636d68ec8ac889de80365bbd57
SHA1 3bb9bcc2062451ef97924164c01519a628289354
SHA256 690ef8482b21fa77fdf533db95daa5559db82ef7106ee5514dd0cbff9efeb769
SHA512 600faea7f044ae648b6008d66b84ee5950d76acb65e2718f7b914d23617656862c66522c2ecc58ea46e301124e42f6eaa6454f00dcc0fc834b69cd5ca0885e91

C:\Users\Admin\AppData\Roaming\time.dat

MD5 6af4fc014bd8b2c00572f5149fc7f522
SHA1 d99e5cab5b497f41ab721d93fd8645d4948090b9
SHA256 9c1ee8df1c0a91f0259f13024069c7fd8d7601df3b4b305f358bd8ce161aedb2
SHA512 d30482778d27953f1c8dff78eaeb2f4ac14da5eb9149dd3519932293d9e4048a1afbc4ad5ca5c4dd3caf47e658706b07ff8dd25560b0f724e517811b2ba7f35b

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-01 07:25

Reported

2025-07-01 07:28

Platform

win11-20250619-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Signatures

Renames multiple (2895) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-707770698-2523217751-1187874351-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Network

Files

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\CyberVolk_ReadMe.txt

MD5 ce7ff0a9361571a2dcb08f50500ace3f
SHA1 5d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512 bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shared Dictionary\cache\index.cvenc

MD5 6f7e5e0fb81c20eb92f1869f6d14c7c9
SHA1 330505d5d878f85545705ada064c51f2d3046656
SHA256 f4661d6fe70011b2118f4d6d52f29a7a1e9135fa0f46163ad13d384bbb14a34d
SHA512 08c8c6a994f04c6ea173dfe3e1e197836ec03aaec967d785a30cf354f0cdc405c20530af9ea67dd38ee6e70a54a4d1e7d118e01aec78fb1b62cf5dda71d20dcd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Indexed DB\EDGE\edbres00002.jrs.cvenc

MD5 ac12292209807151552778f4810d99c3
SHA1 d31b4c590a3dd0c565ffd332540344708735e69a
SHA256 d80cc9b369a26f3cada539324cb7c0f2a93be0395e34fc5bf3a52d84ccac7c40
SHA512 52cdea087eac082836458c9e8c5983bd23972ee168ff09d96673a330e6ff712561597ebdd6c575a675a8088cc5f0dcdb13efdfa809d2869ff0446b9eb750c9cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 5ee65d145651f9fcb858354f6615ae0b
SHA1 db0190c8d45f66a9a9b5a5f29d3151d4c1e0dbd4
SHA256 d63b63d6e74542cd8294d1de8b285eac8a64cb4d6ed3e69cf54344eddaa5e700
SHA512 0e84f168a91335b83aee83c9b708ef56dc0af1fec89690129da6e9da3a79d629e9674689b209dd19d2a6b767b0e142750dec1443f4552d274bfd706d5227e890

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.cvenc

MD5 9fceaef63a73675407e971fb7acc6130
SHA1 5001e9f0b486e7a142cff1b81ef5a36067c33eca
SHA256 670e2379182c9db788add21e089792145d57f6b47946b67ee5f4c78d2d276673
SHA512 e44f47c1aa82a596647080c43cf18c7cd0f3486c12436b4a126f9c1c246012e1a936520beade42aad3fb64c19c3ba497aceb9556be0f2ea6086709b1f3f1b3d5

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7b972beaf37e2de7dbe066961a5d5c1c
SHA1 05fded5bdfe8bad9118d0d5b1d33af598ab39794
SHA256 1274deb6dd5637d775d619b4b2449b40dd2179007cb88f0e36b1ccf91f18dd6e
SHA512 db20e8fcb1205237940387d9e9184624b848fc9d3e5e24addb31edffa6f78fc987314f9509cb1b3700382276770f0a8b761a65e24cdb17ee15cb6cdcfa85f5d3

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7ce5417e80aef872ba20917011e39416
SHA1 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c
SHA256 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8
SHA512 b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a734ad8883f2ce5db79f678149b8d6ed
SHA1 db2f277d3f22707160ecadbc85fdbf36f5e16775
SHA256 4b9647fd16286b9d48f8957d016408d48324837a2dc4726070225737e5764791
SHA512 fbaae4949b92ab773efb546ae8d161e828225c911591853988fc876cfcb1d8436084981285fd6c9e09bc89a95a3da37686d439e3db086ab5d4eb43139270e00a

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.cvenc

MD5 0863459591e797af38da82ddd0425e14
SHA1 9c8933d870442d5d4b1391c3d059bce9c8cb39a6
SHA256 ec32212245ccd0133c682ecde37e0fe8f8ff9f313b5bcf3f55fbba784d832c0e
SHA512 52619e8cf074f01cf96bd0ec0e30965d9af296591e05aef82ca2fe724750fe1a715b91ab41b5cbf239b669c0d7f2d9ac78b8c1d721d9d4581a0854d99761e727

C:\Users\Admin\AppData\Roaming\time.dat

MD5 5143cf8618ed4a4d16edfebaf7728139
SHA1 03355d8a8beabaaaaa54bb99c253724be3ab123b
SHA256 896ba209d8b0c5cdfdacb8b2d45dae08ba41a114dde0bc6ac633dd8a772d66f3
SHA512 f2e4e516edcdb338fd5be7054203b6df5d72fb04d91f1035f13450859a28fbe5c763afa2121b230e9c93d5806348a89e67aa0f07ab585777cb792eeb2570f3b7

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d0dcf063a9c7678ef849da47e7b5c359
SHA1 dd1d3f9db21c852aa5ce97e5a9f64165ecee7ed0
SHA256 d46637522853433efdf1806e2e5336c312d5ba0ff0a32b80468e96b8abf11c04
SHA512 2aca0e320da8db3720328d7fdd400ab23259acff084de43c4a18c702599e40c0286748b7c0cdc5b9cd6081453824b0e3311466c8f3db841ddeb1594b43c1feed

C:\Users\Admin\AppData\Roaming\time.dat

MD5 942d56c3022c0cbed8b956292110a54f
SHA1 9d90ff42c13e1a1159651e7103812fd3eddec3b1
SHA256 155464e7a35faffd6b3b4f2e6b757098204e8a24221641b58ee8156acfd2e1fc
SHA512 62f13178aa3f33ba1410a6005b4d592f98438523b3e47cac35fb94da07bedc4a5c3ab4ee65f6419005835cfd635004445b671dc904ddb387afd8b2a851428a66

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc

MD5 e826b97424bc1f792771a39daee2fb86
SHA1 1ba2f8cb6ea525065bcc8ac5531acd8f1a495ce4
SHA256 7b13a0030913376e6a1313e0fc5498daa0f92b0177ad72b09cbcbd3a8d5fc16c
SHA512 943d9585ce30e20bf2ff9371ae4a25419400b797e1026007daace0a972c541c4fd2a92f186f3319a1181c6a85cb09af938ee1c95da5ab6940538450128121f20

C:\Users\Admin\AppData\Roaming\time.dat

MD5 916cbd6f20415c2214d441deaefedf75
SHA1 764b4f70f63ee4203a9d422778df1b799d565c84
SHA256 dea69a3afb734ba56e0465a463c3c6c5cd4c852cb165c1dd960ba91a4038a53d
SHA512 362c4a98af8f6b1652b18e7feda108652269bee63c903d65225018d861d6efa4e5ae74162fb8d9db39f5706271d26b7cce8cfd1fd45be5b5e6fd22b4811d5cc0

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\time.dat

MD5 4a90df0803c61aab5c319444f910371b
SHA1 ec20ef7d365ac361b3a7970d329d9b4e93d67f40
SHA256 5cf32f9151895f7869e8af1d91c81444a0d3157ad5f4484dcbcab8a29d6bc6ac
SHA512 f434f0cf630953e364a1f9706e10dc0519ae09bee281d5efd9288b307233ebb006c004c6f2d54044487f5bd1628dd9130616a82d585bef4edc13f6a752f84519

C:\Users\Admin\AppData\Roaming\time.dat

MD5 f678a3b7005a6251cb0cf3a28f523cb3
SHA1 be95a3f025e6dabeea687e46dec4dbc2dbc56afd
SHA256 bd41cbdc04707f80b319802470a1871b99d36766f9d020cc0f9a569a4d1bb54b
SHA512 f51336743b3de543c0e4954b87046d36e22517cfa35f071b79d86b813177122f63488a809cc323dd86dc831fef90066954666f9388f8bf736c15eda050c9f21c

C:\Users\Admin\AppData\Roaming\time.dat

MD5 eb4ab9e8db10f6fd9c9a5085f3a75fdd
SHA1 cababf2bea2f1f0fb553b9d65dc2cde33a225489
SHA256 e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6
SHA512 ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7bf570282789f2798b7d6c1714e63ce9
SHA1 4250574703082799b6ff5d2aff42596bc3d3eec6
SHA256 0abe1b008e37697d60391129deac748704d6105881949c60dff38453777ffb43
SHA512 7e88f1bd9b4d92534e2343ca98d7b485921d604a80172538da18d55a8db0f102b30878458d41cd3a5f627c27b12f16a07636a33f63da618a02bd08e1c0508b69