Analysis Overview
SHA256
439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d
Threat Level: Known bad
The file 439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d.zip was found to be: Known bad.
Malicious Activity Summary
Renames multiple (2710) files with added filename extension
Renames multiple (2895) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Sets desktop wallpaper using registry
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:25
Reported
2025-07-01 07:28
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/4460-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 07:25
Reported
2025-07-01 07:28
Platform
win11-20250610-en
Max time kernel
40s
Max time network
60s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
Network
Files
memory/4592-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-01 07:25
Reported
2025-07-01 07:28
Platform
win10v2004-20250619-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Renames multiple (2710) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-4144907350-1836498122-2806216936-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\CyberVolk_ReadMe.txt
| MD5 | ce7ff0a9361571a2dcb08f50500ace3f |
| SHA1 | 5d8bed459f55a37e2fcb801d04de337a01c5d623 |
| SHA256 | 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee |
| SHA512 | bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.cvenc
| MD5 | 4eb699031648790022dbd774a91dbd01 |
| SHA1 | 696a1893af7dcd8535ea3f50d4f68cd6c952032f |
| SHA256 | b8a5804e43257364283577116ea29d5414efdd2ac5c6e307f1474792374e4805 |
| SHA512 | 54851b41460fea480727b5164c833adad3cd42328e16ef01290180481587b4a1eb25463cf9507947b725d2e0862cd520b718f1a1cfa5259e05515c65448af7eb |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.cvenc
| MD5 | fce09ddd3667c50e37d17f53a29fd585 |
| SHA1 | 0b5fc64536f2d0e2ccba96d0be05212651b7243c |
| SHA256 | fd3f400d46c186af798c3e8b5f782596da3bd4d7a71031bacad1ebc370cfb604 |
| SHA512 | d1ea969b8cc831b11a511f17fc1fb187d653dd95343aaaf3a3389ea17f9a544eedcf437f1e9af47e9b51908be93c06da6b2072e7b669a5f01ff252db849655a1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948122616068753.txt.cvenc
| MD5 | 1611e9f14c4e87041be6a76e7832fdf8 |
| SHA1 | c7d8a510915d6faa1718a3875a455419d0df447b |
| SHA256 | bcbf5e0cfa3146e70c935ea4c8f01b434aa28fe2bb329eea05f107078c1dabb3 |
| SHA512 | 2867921c9b2b0f7deac26a875d20a5d67a6efb1e13cb06241966423666480ad20971c722efb8be2fe6fec2cc3acfd484d941078646d34670f67a5078272942c4 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948128344759353.txt.cvenc
| MD5 | c2b70fadc7b60df1c064ceb54ab47100 |
| SHA1 | 24bcc22505e50148cc5f1c47141eae5d887db4ab |
| SHA256 | 43b199de9d3b230f8b0396c4e8da0cf7f3f7f068a8d02d2c6d3d94a5020d783e |
| SHA512 | 2385ddabc964557c6812ccab5aba0b815449dffa011d479bbb3d6a4be3a4bf01c83ac383e321705fbdc745b98ceed63f96905369558844b0ab91f7ada5cacf72 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133948130976112793.txt.cvenc
| MD5 | 861dea94aa2b1f2b6198d4790c097885 |
| SHA1 | 9d0533a6b439f92ffc1124567f1527e5c99f8596 |
| SHA256 | 8367ac3016781e4e896b0913842a2be56f752a8fa7d2dfb1aea0d04f01881ae8 |
| SHA512 | 2f7788188358ffe3a49bc3aa26e6f5983072f3cd30b499ec07c6b452af1fdccb133c019c2ef219b1349d5c687a76ba9311252f185a2a516ea7382e68bc1f53ec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | 623b5cd467e775f3c57ad7a1f8c3966b |
| SHA1 | 912eab8b73c9e7488cb3f0f5041224d200cded61 |
| SHA256 | cfb49483e924170d762f99f5fd3291a8ad11575c49e50aabe9b5531da364b0b8 |
| SHA512 | 3be7a4c769ed76a72f6b3a86d43e4cb88ddc12e9eb6d058ff17596ffa12e0ba326db7296e3fbf904a7511a616027f98d715e30e74e2a74d2778e8d07611ce77a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.cvenc
| MD5 | f78a1026377da40cbdace79d3e092901 |
| SHA1 | 23f656c9d110b838ef807c21e9a0aee9b13f6875 |
| SHA256 | b93417e08868e27bc96df04521641a47b7cff62a322a4e18481381773304ec79 |
| SHA512 | 4012eac19a8c1ea7b7a5485db33b1f44053dab71aaaf98c324b8d08c2504437eaccfab5723b234ab54a397b9c689fb997850688c3563e56594b3cb7f6170b31a |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | e36c72761b575374e7d7e63a0333d93f |
| SHA1 | 01b61b9ddd5632f78edb1bc40fdfa6d6aada083f |
| SHA256 | 2fa8eba4e72866823c3e963389d1d3a58d1bf10b6bb427b384b914a3629af429 |
| SHA512 | 12e4fad54c218b0cc59fc1643ef6af1c8c08a74a05f89fc10c9cea53969aad214711086578efa1922c72bdf375cb5753a97fd98bf9bcebd86190a6e9b7b44550 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 2389ceb16e2cc3941618a5f9055840d0 |
| SHA1 | c23244a0b6511bea9cc7732b954a94b187454f3f |
| SHA256 | 8c496c831c776415f7491e6de8457bb88c62eefeff270c8e0dbec39b78b9413d |
| SHA512 | de891c5d63059b4cb6bf4f7fa32b30a474209512f5a7297a920ef4ac9b42bbbd67a73054fd6b85533ebbc9f630262a67ae390e0347597be25399d58aede643c3 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 509421719867b607d48a0a1b0ae35c89 |
| SHA1 | d94181ed6be56c0a99e749b0527704a9f1b35d1f |
| SHA256 | 75de81c20d6f96afffc7becf1d76612842635a9c70167b482e233540738a97e5 |
| SHA512 | 11979eaeb9b486f274b8f8112cc3ccac92830b5a6d1e2fa2218c85c89b72a67a380262665aa2329770116e691e885e127003be8c598111149249209cc23553e0 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 6878fea7a98cb41194729e55ee5cea46 |
| SHA1 | 0c6c7f2b1b7e4da539623a8f0fb7012e2ea468d5 |
| SHA256 | bc62c7cd2cb19dae74f15b14964b6eb3942104662a21d5ba91eac861ea67bbe2 |
| SHA512 | cd45971f2646a7fc29262659245a1da2b5fed56ff38b60c6820f36eade7a6b57588ff82472e1eff92e02b33199a4c6af96e65b69fd9b51eaaa4172bbaa5f1874 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | e58e3a33512dd5cbb9e07daa9cca8d19 |
| SHA1 | 7cf3a0ae11d0f3ff28ae51a20eb398053587e6a7 |
| SHA256 | d0653fe8530d7c8e76243fe8c3fadaab5d9f82833de425d7470fe3076b6a9e3a |
| SHA512 | 8e0fdb1ca63cfb3fa3da85152aa1d0ff173d6421a13a121aa7b1adcd2c629a236273f2e82e19049317fa7338182de8fc36e3f96284176a267ca17fe8ee66559f |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | c67c47db7c62cf7d1cb62bc14e4c71c6 |
| SHA1 | 227faf3bc48b87a8745ffcff09e97093812dff70 |
| SHA256 | a5cbc7664ddb2af6fbcdae5b4477be47e3b3ebdf327bd9626ee1a972eab6fb26 |
| SHA512 | 37058f98ba895613a259bbad45cb3be3db68684a6f01d75f14d20d464c081e4878632dcc8a20667993bb4bcd648425ff867a2f58042d5441403d768dfc54e28f |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 619d6b6bff9a5152560ae73fb2264006 |
| SHA1 | 791d6736d22916e74b5f4c1e486aafb9fccb20be |
| SHA256 | 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79 |
| SHA512 | d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 942d56c3022c0cbed8b956292110a54f |
| SHA1 | 9d90ff42c13e1a1159651e7103812fd3eddec3b1 |
| SHA256 | 155464e7a35faffd6b3b4f2e6b757098204e8a24221641b58ee8156acfd2e1fc |
| SHA512 | 62f13178aa3f33ba1410a6005b4d592f98438523b3e47cac35fb94da07bedc4a5c3ab4ee65f6419005835cfd635004445b671dc904ddb387afd8b2a851428a66 |
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.cvenc
| MD5 | 3536836727833db6cb4c9c2228c7a1ef |
| SHA1 | 87dbfa7caa40738be50718331c72181ea2447513 |
| SHA256 | 5e7bcd0a6c8dee49fae4463665b489bf9f510d9fa2babba01fa581ebf6ddc188 |
| SHA512 | 469bf51e68b021a1f19665270c433a86dfc69f38dda676c247cad14f6840f5798a23ba3d7ce8855ab3981644e7793464b9a69cec625f0c572f4169d366de0356 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a52357f1ce8160dee6563b6a3391ffa8 |
| SHA1 | b73819a7e2227bda306f42ddd029c72406b1f55a |
| SHA256 | bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c |
| SHA512 | 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 70625b0985a7b4378d1aa0077176dc3a |
| SHA1 | 35710ebc51a11f6d2147aa31501bf8e54ef4b68e |
| SHA256 | fd3422d11e9fdacf030f74df8a97aef973337371c49d6746fa29e06a4e54888b |
| SHA512 | b45318d77adb8bd37d6b39b6e876b65e6fd8b74f06c773b73cd31a3b5df927dec02170789f0000c63f637d85e51212135f27ca3f06e7cea707dd21357f737d58 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 4a90df0803c61aab5c319444f910371b |
| SHA1 | ec20ef7d365ac361b3a7970d329d9b4e93d67f40 |
| SHA256 | 5cf32f9151895f7869e8af1d91c81444a0d3157ad5f4484dcbcab8a29d6bc6ac |
| SHA512 | f434f0cf630953e364a1f9706e10dc0519ae09bee281d5efd9288b307233ebb006c004c6f2d54044487f5bd1628dd9130616a82d585bef4edc13f6a752f84519 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | eb4ab9e8db10f6fd9c9a5085f3a75fdd |
| SHA1 | cababf2bea2f1f0fb553b9d65dc2cde33a225489 |
| SHA256 | e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6 |
| SHA512 | ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 3de50263500e3421017469e47e8dd36e |
| SHA1 | 8c27afff5097d219658bc9b81db313e5d7b0fde1 |
| SHA256 | 8544b9f0f260994269b6b0ddc1163e264892fcc918340a09d317716bf1256f5c |
| SHA512 | 45c677ff4c803d5894450d12f9cb266cbaee081e39d7d5d41e2975f1e65a706f57791210299bd46af46b317ae5c38de62e64644ab5bbbe8994e6d2f33666c2ad |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 80789d636d68ec8ac889de80365bbd57 |
| SHA1 | 3bb9bcc2062451ef97924164c01519a628289354 |
| SHA256 | 690ef8482b21fa77fdf533db95daa5559db82ef7106ee5514dd0cbff9efeb769 |
| SHA512 | 600faea7f044ae648b6008d66b84ee5950d76acb65e2718f7b914d23617656862c66522c2ecc58ea46e301124e42f6eaa6454f00dcc0fc834b69cd5ca0885e91 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 6af4fc014bd8b2c00572f5149fc7f522 |
| SHA1 | d99e5cab5b497f41ab721d93fd8645d4948090b9 |
| SHA256 | 9c1ee8df1c0a91f0259f13024069c7fd8d7601df3b4b305f358bd8ce161aedb2 |
| SHA512 | d30482778d27953f1c8dff78eaeb2f4ac14da5eb9149dd3519932293d9e4048a1afbc4ad5ca5c4dd3caf47e658706b07ff8dd25560b0f724e517811b2ba7f35b |
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-01 07:25
Reported
2025-07-01 07:28
Platform
win11-20250619-en
Max time kernel
150s
Max time network
104s
Command Line
Signatures
Renames multiple (2895) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-707770698-2523217751-1187874351-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
Network
Files
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\CyberVolk_ReadMe.txt
| MD5 | ce7ff0a9361571a2dcb08f50500ace3f |
| SHA1 | 5d8bed459f55a37e2fcb801d04de337a01c5d623 |
| SHA256 | 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee |
| SHA512 | bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shared Dictionary\cache\index.cvenc
| MD5 | 6f7e5e0fb81c20eb92f1869f6d14c7c9 |
| SHA1 | 330505d5d878f85545705ada064c51f2d3046656 |
| SHA256 | f4661d6fe70011b2118f4d6d52f29a7a1e9135fa0f46163ad13d384bbb14a34d |
| SHA512 | 08c8c6a994f04c6ea173dfe3e1e197836ec03aaec967d785a30cf354f0cdc405c20530af9ea67dd38ee6e70a54a4d1e7d118e01aec78fb1b62cf5dda71d20dcd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Indexed DB\EDGE\edbres00002.jrs.cvenc
| MD5 | ac12292209807151552778f4810d99c3 |
| SHA1 | d31b4c590a3dd0c565ffd332540344708735e69a |
| SHA256 | d80cc9b369a26f3cada539324cb7c0f2a93be0395e34fc5bf3a52d84ccac7c40 |
| SHA512 | 52cdea087eac082836458c9e8c5983bd23972ee168ff09d96673a330e6ff712561597ebdd6c575a675a8088cc5f0dcdb13efdfa809d2869ff0446b9eb750c9cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | 5ee65d145651f9fcb858354f6615ae0b |
| SHA1 | db0190c8d45f66a9a9b5a5f29d3151d4c1e0dbd4 |
| SHA256 | d63b63d6e74542cd8294d1de8b285eac8a64cb4d6ed3e69cf54344eddaa5e700 |
| SHA512 | 0e84f168a91335b83aee83c9b708ef56dc0af1fec89690129da6e9da3a79d629e9674689b209dd19d2a6b767b0e142750dec1443f4552d274bfd706d5227e890 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.cvenc
| MD5 | 9fceaef63a73675407e971fb7acc6130 |
| SHA1 | 5001e9f0b486e7a142cff1b81ef5a36067c33eca |
| SHA256 | 670e2379182c9db788add21e089792145d57f6b47946b67ee5f4c78d2d276673 |
| SHA512 | e44f47c1aa82a596647080c43cf18c7cd0f3486c12436b4a126f9c1c246012e1a936520beade42aad3fb64c19c3ba497aceb9556be0f2ea6086709b1f3f1b3d5 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7b972beaf37e2de7dbe066961a5d5c1c |
| SHA1 | 05fded5bdfe8bad9118d0d5b1d33af598ab39794 |
| SHA256 | 1274deb6dd5637d775d619b4b2449b40dd2179007cb88f0e36b1ccf91f18dd6e |
| SHA512 | db20e8fcb1205237940387d9e9184624b848fc9d3e5e24addb31edffa6f78fc987314f9509cb1b3700382276770f0a8b761a65e24cdb17ee15cb6cdcfa85f5d3 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7ce5417e80aef872ba20917011e39416 |
| SHA1 | 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c |
| SHA256 | 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8 |
| SHA512 | b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a734ad8883f2ce5db79f678149b8d6ed |
| SHA1 | db2f277d3f22707160ecadbc85fdbf36f5e16775 |
| SHA256 | 4b9647fd16286b9d48f8957d016408d48324837a2dc4726070225737e5764791 |
| SHA512 | fbaae4949b92ab773efb546ae8d161e828225c911591853988fc876cfcb1d8436084981285fd6c9e09bc89a95a3da37686d439e3db086ab5d4eb43139270e00a |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.cvenc
| MD5 | 0863459591e797af38da82ddd0425e14 |
| SHA1 | 9c8933d870442d5d4b1391c3d059bce9c8cb39a6 |
| SHA256 | ec32212245ccd0133c682ecde37e0fe8f8ff9f313b5bcf3f55fbba784d832c0e |
| SHA512 | 52619e8cf074f01cf96bd0ec0e30965d9af296591e05aef82ca2fe724750fe1a715b91ab41b5cbf239b669c0d7f2d9ac78b8c1d721d9d4581a0854d99761e727 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 5143cf8618ed4a4d16edfebaf7728139 |
| SHA1 | 03355d8a8beabaaaaa54bb99c253724be3ab123b |
| SHA256 | 896ba209d8b0c5cdfdacb8b2d45dae08ba41a114dde0bc6ac633dd8a772d66f3 |
| SHA512 | f2e4e516edcdb338fd5be7054203b6df5d72fb04d91f1035f13450859a28fbe5c763afa2121b230e9c93d5806348a89e67aa0f07ab585777cb792eeb2570f3b7 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d0dcf063a9c7678ef849da47e7b5c359 |
| SHA1 | dd1d3f9db21c852aa5ce97e5a9f64165ecee7ed0 |
| SHA256 | d46637522853433efdf1806e2e5336c312d5ba0ff0a32b80468e96b8abf11c04 |
| SHA512 | 2aca0e320da8db3720328d7fdd400ab23259acff084de43c4a18c702599e40c0286748b7c0cdc5b9cd6081453824b0e3311466c8f3db841ddeb1594b43c1feed |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 942d56c3022c0cbed8b956292110a54f |
| SHA1 | 9d90ff42c13e1a1159651e7103812fd3eddec3b1 |
| SHA256 | 155464e7a35faffd6b3b4f2e6b757098204e8a24221641b58ee8156acfd2e1fc |
| SHA512 | 62f13178aa3f33ba1410a6005b4d592f98438523b3e47cac35fb94da07bedc4a5c3ab4ee65f6419005835cfd635004445b671dc904ddb387afd8b2a851428a66 |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
| MD5 | e826b97424bc1f792771a39daee2fb86 |
| SHA1 | 1ba2f8cb6ea525065bcc8ac5531acd8f1a495ce4 |
| SHA256 | 7b13a0030913376e6a1313e0fc5498daa0f92b0177ad72b09cbcbd3a8d5fc16c |
| SHA512 | 943d9585ce30e20bf2ff9371ae4a25419400b797e1026007daace0a972c541c4fd2a92f186f3319a1181c6a85cb09af938ee1c95da5ab6940538450128121f20 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 916cbd6f20415c2214d441deaefedf75 |
| SHA1 | 764b4f70f63ee4203a9d422778df1b799d565c84 |
| SHA256 | dea69a3afb734ba56e0465a463c3c6c5cd4c852cb165c1dd960ba91a4038a53d |
| SHA512 | 362c4a98af8f6b1652b18e7feda108652269bee63c903d65225018d861d6efa4e5ae74162fb8d9db39f5706271d26b7cce8cfd1fd45be5b5e6fd22b4811d5cc0 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 4a90df0803c61aab5c319444f910371b |
| SHA1 | ec20ef7d365ac361b3a7970d329d9b4e93d67f40 |
| SHA256 | 5cf32f9151895f7869e8af1d91c81444a0d3157ad5f4484dcbcab8a29d6bc6ac |
| SHA512 | f434f0cf630953e364a1f9706e10dc0519ae09bee281d5efd9288b307233ebb006c004c6f2d54044487f5bd1628dd9130616a82d585bef4edc13f6a752f84519 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | f678a3b7005a6251cb0cf3a28f523cb3 |
| SHA1 | be95a3f025e6dabeea687e46dec4dbc2dbc56afd |
| SHA256 | bd41cbdc04707f80b319802470a1871b99d36766f9d020cc0f9a569a4d1bb54b |
| SHA512 | f51336743b3de543c0e4954b87046d36e22517cfa35f071b79d86b813177122f63488a809cc323dd86dc831fef90066954666f9388f8bf736c15eda050c9f21c |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | eb4ab9e8db10f6fd9c9a5085f3a75fdd |
| SHA1 | cababf2bea2f1f0fb553b9d65dc2cde33a225489 |
| SHA256 | e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6 |
| SHA512 | ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7bf570282789f2798b7d6c1714e63ce9 |
| SHA1 | 4250574703082799b6ff5d2aff42596bc3d3eec6 |
| SHA256 | 0abe1b008e37697d60391129deac748704d6105881949c60dff38453777ffb43 |
| SHA512 | 7e88f1bd9b4d92534e2343ca98d7b485921d604a80172538da18d55a8db0f102b30878458d41cd3a5f627c27b12f16a07636a33f63da618a02bd08e1c0508b69 |