Malware Analysis Report

2024-12-07 03:00

Sample ID 241111-cqmxeszkdv
Target WannaCry.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file WannaCry.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Wannacry

Wannacry family

Deletes shadow copies

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Kills process with taskkill

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 02:16

Reported

2024-11-11 02:52

Platform

win10v2004-20241007-en

Max time kernel

1790s

Max time network

1154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9644.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD965A.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1460 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 1460 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4056 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 4056 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1460 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 228 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 436 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 436 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 35601731291729.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/1460-6-0x0000000010000000-0x0000000010012000-memory.dmp

memory/1460-7-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\35601731291729.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 7cbc43f63ea460e6a0ece2f0636f8f12
SHA1 3a9e0837a33edd63f542baeaaf33f176aafba93e
SHA256 d83b4e936b8c699e15f787d2fd62401d8548af44f010f14cfe65552ed7f95363
SHA512 45b6aa5096e45a9a9e09053172214975d652bceae9088e28af88bb72a5798eb2fb510d099d83921837ec1753ff9710f62f319ab3e08066645d85c55d2ad6d9fb

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 663e55df21852bc8870b86bc38e58262
SHA1 1c691bf030ecfce78a9476fbdef3afe61724e6a9
SHA256 bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538
SHA512 6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 bf71ad71f14e072d4a68ff9d42816311
SHA1 796b9ab4fe9acea085c44fe1daf6c82f00ccad4c
SHA256 f5757bcef5340b44bca3704cedf4ce6315777930001e89f7135b3f4385990a88
SHA512 da7aaa815858a10d9746cace1c51d1a0bbf51bd3c7b1218e6c64206bf8163e47c480b90fbe9c734da69090119b99d29a5f29eeb8ee8ca67dc1a1e782e8aa4619

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 0f5c2e1fdbdadf87e9d79ea095855415
SHA1 38cf1b8a0a7799594ddfc605566e855fbabefe40
SHA256 d898dc4e22a22a011272b00639d4e0e8659722d6e4a8ca8d2f99ccf6ec696ea2
SHA512 62a7a8ecf5a66cf8dabb9be8e6755f5ec7e1f3cad272d319053498a80f4eaa02a902d8bf15bf219764047a7126ef2aec18dc94ff94d23733f666df8d8ab981fd

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 1d4492453d3798c0f0bbd5ce5e483129
SHA1 f70694de2d199dbdaafa460842e29f032b6d8f9b
SHA256 923f8767aebed4b331e4c8c9c052642088722ba540a69570c920b60b52e7d90b
SHA512 e8b39257a67e7d95f754d1817a58fc4d2db4ef03be7054b20a193fe4c9eace0b150bea1efe235b0deef492087ceab543d8c44815ac62d7b203293e9d202cda41

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 1adae04ebe479ab3889fe6cefe82552b
SHA1 4b8a59119107740dd7d78e0f3584f6e0fd55f884
SHA256 60fcc91f64f9e204fc3444620c92495642989b31e309f95e158b16a4e0480dcd
SHA512 ebc08b67f2c2202d68ba220397a3731326387704f674d8e2bbe98147e6f33fe36b12516ab85e3fe4455dc3f38cc14c87283eeb8b6426ae322771be1ab74ebd55