Analysis

  • max time kernel
    146s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-05-2021 19:41

General

  • Target

    f8779af577c68ff3add11db6f6e63e8e.exe

  • Size

    6.8MB

  • MD5

    f8779af577c68ff3add11db6f6e63e8e

  • SHA1

    d687be4410485a26c766edb253aa6d572e322bc1

  • SHA256

    cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30

  • SHA512

    0605a1b28e4d0ad2975167c613687c8933ab4b0f5c9388d3158a582a25824aaf1663544cdb6a9697cb82abc281c600092d51f07180812170289fcf99bc5aab84

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 13 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 13 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 40 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:884
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2012
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Modifies registry class
          PID:1948
      • C:\Users\Admin\AppData\Local\Temp\f8779af577c68ff3add11db6f6e63e8e.exe
        "C:\Users\Admin\AppData\Local\Temp\f8779af577c68ff3add11db6f6e63e8e.exe"
        1⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1996
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            PID:2104
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2300
        • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
          2⤵
          • Executes dropped EXE
          PID:652
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 760
            3⤵
            • Loads dropped DLL
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            PID:2136
        • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1088
        • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
          2⤵
          • Executes dropped EXE
          PID:1488
          • C:\Windows\SysWOW64\rUNdlL32.eXe
            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
            3⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
        • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Users\Admin\AppData\Local\Temp\is-J5V2A.tmp\LabPicV3.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-J5V2A.tmp\LabPicV3.tmp" /SL5="$50122,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1896
        • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Local\Temp\is-P6OJQ.tmp\lylal220.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-P6OJQ.tmp\lylal220.tmp" /SL5="$30176,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1880
        • C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 200
            3⤵
            • Loads dropped DLL
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:324
        • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Users\Admin\AppData\Local\Temp\is-LAFQR.tmp\Versium.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-LAFQR.tmp\Versium.tmp" /SL5="$201B4,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:1824

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

        MD5

        96a80d0e7aafd552c6857ef310d64c7d

        SHA1

        b4f308a47c85a76e22b01cc6291c70a4e459ebe2

        SHA256

        1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

        SHA512

        f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

      • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

        MD5

        96a80d0e7aafd552c6857ef310d64c7d

        SHA1

        b4f308a47c85a76e22b01cc6291c70a4e459ebe2

        SHA256

        1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

        SHA512

        f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

      • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

        MD5

        1e09b73afa67d8bfe8591eb605cef0e3

        SHA1

        147fdec45342a0e069dd1aeea2c109440894bef9

        SHA256

        431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

        SHA512

        b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

      • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

        MD5

        1e09b73afa67d8bfe8591eb605cef0e3

        SHA1

        147fdec45342a0e069dd1aeea2c109440894bef9

        SHA256

        431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

        SHA512

        b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

      • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe

        MD5

        f6e70fbfe1d53b8d9d6d0b273542a7f7

        SHA1

        1f962079e158b2b0b27a02e6985a14e5f739d368

        SHA256

        ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

        SHA512

        2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

      • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe

        MD5

        f6e70fbfe1d53b8d9d6d0b273542a7f7

        SHA1

        1f962079e158b2b0b27a02e6985a14e5f739d368

        SHA256

        ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

        SHA512

        2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

      • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

        MD5

        a30bdf843d0961c11e78fed101764f74

        SHA1

        0c421c3d2d007a09b9b968ac485464844fa8ca9d

        SHA256

        2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

        SHA512

        fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

      • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

        MD5

        a30bdf843d0961c11e78fed101764f74

        SHA1

        0c421c3d2d007a09b9b968ac485464844fa8ca9d

        SHA256

        2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

        SHA512

        fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

      • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

        MD5

        6bd341bfca324b52dfa4f696c7978025

        SHA1

        09029b634ff31a7e2cc903f2e1580bc6f554558d

        SHA256

        faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

        SHA512

        d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

      • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

        MD5

        6bd341bfca324b52dfa4f696c7978025

        SHA1

        09029b634ff31a7e2cc903f2e1580bc6f554558d

        SHA256

        faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

        SHA512

        d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

      • C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

        MD5

        1cb9c1b506a1a0e472ba4ed650b84f68

        SHA1

        967034fcd28bcf9650b4fb55cc3eee487d56bd7b

        SHA256

        c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

        SHA512

        5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

      • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

        MD5

        1cb9c1b506a1a0e472ba4ed650b84f68

        SHA1

        967034fcd28bcf9650b4fb55cc3eee487d56bd7b

        SHA256

        c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

        SHA512

        5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

      • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

        MD5

        b7161c0845a64ff6d7345b67ff97f3b0

        SHA1

        d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

        SHA256

        fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

        SHA512

        98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

      • C:\Users\Admin\AppData\Local\Temp\install.dat

        MD5

        77038c199399d4830a6bf570d46c4edb

        SHA1

        6158a9e03e797535e4438bf2f995c4904ed16079

        SHA256

        9051a4489a9fa483934b8df5146cc5cb6c55a6f74fd58b266f731dffa4a3271e

        SHA512

        191f8cf61672b2c1fd23cfe7fad6b9341181f593f5c2dcef5f7db07918572b596ff8c078800ed4d4ea9e143ddbce99a8a445137a3737684f7e06aa6fc25d8b3d

      • C:\Users\Admin\AppData\Local\Temp\install.dll

        MD5

        5e6df381ce1c9102799350b7033e41df

        SHA1

        f8a4012c9547d9bb2faecfba75fc69407aaec288

        SHA256

        01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

        SHA512

        a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

      • C:\Users\Admin\AppData\Local\Temp\is-J5V2A.tmp\LabPicV3.tmp

        MD5

        dda84ebcc3c9968655702f7a6da23e1f

        SHA1

        8514f2e9eab129bd8288d5f13cf0030cae2e7fc5

        SHA256

        743dcd957b3b1f5401d1812cbae0e546a31eff23507b5238198f8f0e7b65682b

        SHA512

        e54f70e0876b7f566b9889874c20b75eb7c264184a2e2e7067f6b5b5940331818c1bcf4e263b32e3d71c62f5f0c2880c07dabeb1d9742a3990231f6e459a61e8

      • C:\Users\Admin\AppData\Local\Temp\is-LAFQR.tmp\Versium.tmp

        MD5

        ffcf263a020aa7794015af0edee5df0b

        SHA1

        bce1eb5f0efb2c83f416b1782ea07c776666fdab

        SHA256

        1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

        SHA512

        49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

      • C:\Users\Admin\AppData\Local\Temp\is-P6OJQ.tmp\lylal220.tmp

        MD5

        93839f8c15234e4c8f1f9d0f285400a0

        SHA1

        afedb5526c9962a6257dbd0b805ed76f9f26b093

        SHA256

        449895149bf2a3864240e6ce912b90023cbf391adea2e35bcad7c73cb169b1a6

        SHA512

        69e77f62d27f1466576725d0c802437813bbff1af010b7460dfcd3f6cfa79de808f166bae437258cafbfcefb8d9de6ab658cdedb2e63d98a77f571b5e4ae77e7

      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        7fee8223d6e4f82d6cd115a28f0b6d58

        SHA1

        1b89c25f25253df23426bd9ff6c9208f1202f58b

        SHA256

        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

        SHA512

        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        a6279ec92ff948760ce53bba817d6a77

        SHA1

        5345505e12f9e4c6d569a226d50e71b5a572dce2

        SHA256

        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

        SHA512

        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        a6279ec92ff948760ce53bba817d6a77

        SHA1

        5345505e12f9e4c6d569a226d50e71b5a572dce2

        SHA256

        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

        SHA512

        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

      • \Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

        MD5

        96a80d0e7aafd552c6857ef310d64c7d

        SHA1

        b4f308a47c85a76e22b01cc6291c70a4e459ebe2

        SHA256

        1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

        SHA512

        f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

      • \Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

        MD5

        1e09b73afa67d8bfe8591eb605cef0e3

        SHA1

        147fdec45342a0e069dd1aeea2c109440894bef9

        SHA256

        431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

        SHA512

        b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

        MD5

        1757f447661fdd9a96df09e47098c5cb

        SHA1

        f6eb4dae2cfea18ddabf120a2a12886d558e56a2

        SHA256

        a4904600ca5c08db5e7949480af9693d7fa0dd3bcebcad59c0c0808df8704a98

        SHA512

        6a533dc9cc3d9d19a63aa95eb85496d5c59f0ba9929c6482a7f49a25381e9c92a11c68b0fc3167cfe2154272db28968e37ae2e48b61d53e1a7f96d71efd5c741

      • \Program Files (x86)\Data Finder\Versium Research\Versium.exe

        MD5

        f6e70fbfe1d53b8d9d6d0b273542a7f7

        SHA1

        1f962079e158b2b0b27a02e6985a14e5f739d368

        SHA256

        ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

        SHA512

        2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

      • \Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

        MD5

        a30bdf843d0961c11e78fed101764f74

        SHA1

        0c421c3d2d007a09b9b968ac485464844fa8ca9d

        SHA256

        2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

        SHA512

        fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

      • \Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

        MD5

        a30bdf843d0961c11e78fed101764f74

        SHA1

        0c421c3d2d007a09b9b968ac485464844fa8ca9d

        SHA256

        2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

        SHA512

        fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

      • \Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

        MD5

        6bd341bfca324b52dfa4f696c7978025

        SHA1

        09029b634ff31a7e2cc903f2e1580bc6f554558d

        SHA256

        faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

        SHA512

        d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe

        MD5

        b72ca731ce917c0cf7893702be1e30af

        SHA1

        d77a405a51e88c75b3bee2ab29662101ffb3e0a3

        SHA256

        783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

        SHA512

        a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

      • \Program Files (x86)\Data Finder\Versium Research\lylal220.exe

        MD5

        1cb9c1b506a1a0e472ba4ed650b84f68

        SHA1

        967034fcd28bcf9650b4fb55cc3eee487d56bd7b

        SHA256

        c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

        SHA512

        5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

      • \Users\Admin\AppData\Local\Temp\install.dll

        MD5

        5e6df381ce1c9102799350b7033e41df

        SHA1

        f8a4012c9547d9bb2faecfba75fc69407aaec288

        SHA256

        01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

        SHA512

        a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

      • \Users\Admin\AppData\Local\Temp\install.dll

        MD5

        5e6df381ce1c9102799350b7033e41df

        SHA1

        f8a4012c9547d9bb2faecfba75fc69407aaec288

        SHA256

        01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

        SHA512

        a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

      • \Users\Admin\AppData\Local\Temp\install.dll

        MD5

        5e6df381ce1c9102799350b7033e41df

        SHA1

        f8a4012c9547d9bb2faecfba75fc69407aaec288

        SHA256

        01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

        SHA512

        a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

      • \Users\Admin\AppData\Local\Temp\install.dll

        MD5

        5e6df381ce1c9102799350b7033e41df

        SHA1

        f8a4012c9547d9bb2faecfba75fc69407aaec288

        SHA256

        01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

        SHA512

        a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

      • \Users\Admin\AppData\Local\Temp\is-FS6A4.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-FS6A4.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-FS6A4.tmp\itdownload.dll

        MD5

        d82a429efd885ca0f324dd92afb6b7b8

        SHA1

        86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

        SHA256

        b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

        SHA512

        5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

      • \Users\Admin\AppData\Local\Temp\is-IFQAO.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-IFQAO.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-IFQAO.tmp\idp.dll

        MD5

        8f995688085bced38ba7795f60a5e1d3

        SHA1

        5b1ad67a149c05c50d6e388527af5c8a0af4343a

        SHA256

        203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

        SHA512

        043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

      • \Users\Admin\AppData\Local\Temp\is-J5V2A.tmp\LabPicV3.tmp

        MD5

        dda84ebcc3c9968655702f7a6da23e1f

        SHA1

        8514f2e9eab129bd8288d5f13cf0030cae2e7fc5

        SHA256

        743dcd957b3b1f5401d1812cbae0e546a31eff23507b5238198f8f0e7b65682b

        SHA512

        e54f70e0876b7f566b9889874c20b75eb7c264184a2e2e7067f6b5b5940331818c1bcf4e263b32e3d71c62f5f0c2880c07dabeb1d9742a3990231f6e459a61e8

      • \Users\Admin\AppData\Local\Temp\is-LAFQR.tmp\Versium.tmp

        MD5

        ffcf263a020aa7794015af0edee5df0b

        SHA1

        bce1eb5f0efb2c83f416b1782ea07c776666fdab

        SHA256

        1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

        SHA512

        49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

      • \Users\Admin\AppData\Local\Temp\is-P6OJQ.tmp\lylal220.tmp

        MD5

        93839f8c15234e4c8f1f9d0f285400a0

        SHA1

        afedb5526c9962a6257dbd0b805ed76f9f26b093

        SHA256

        449895149bf2a3864240e6ce912b90023cbf391adea2e35bcad7c73cb169b1a6

        SHA512

        69e77f62d27f1466576725d0c802437813bbff1af010b7460dfcd3f6cfa79de808f166bae437258cafbfcefb8d9de6ab658cdedb2e63d98a77f571b5e4ae77e7

      • \Users\Admin\AppData\Local\Temp\is-VUAE4.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-VUAE4.tmp\_isetup\_shfoldr.dll

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-VUAE4.tmp\idp.dll

        MD5

        8f995688085bced38ba7795f60a5e1d3

        SHA1

        5b1ad67a149c05c50d6e388527af5c8a0af4343a

        SHA256

        203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

        SHA512

        043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

      • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        7fee8223d6e4f82d6cd115a28f0b6d58

        SHA1

        1b89c25f25253df23426bd9ff6c9208f1202f58b

        SHA256

        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

        SHA512

        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

      • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        7fee8223d6e4f82d6cd115a28f0b6d58

        SHA1

        1b89c25f25253df23426bd9ff6c9208f1202f58b

        SHA256

        a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

        SHA512

        3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

      • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        a6279ec92ff948760ce53bba817d6a77

        SHA1

        5345505e12f9e4c6d569a226d50e71b5a572dce2

        SHA256

        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

        SHA512

        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

      • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

        MD5

        a6279ec92ff948760ce53bba817d6a77

        SHA1

        5345505e12f9e4c6d569a226d50e71b5a572dce2

        SHA256

        8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

        SHA512

        213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

      • memory/324-122-0x0000000000000000-mapping.dmp

      • memory/652-65-0x0000000000000000-mapping.dmp

      • memory/1036-59-0x00000000750C1000-0x00000000750C3000-memory.dmp

        Filesize

        8KB

      • memory/1088-104-0x0000000000270000-0x0000000000290000-memory.dmp

        Filesize

        128KB

      • memory/1088-71-0x00000000013B0000-0x00000000013B1000-memory.dmp

        Filesize

        4KB

      • memory/1088-68-0x0000000000000000-mapping.dmp

      • memory/1088-109-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

        Filesize

        8KB

      • memory/1088-89-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/1088-112-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

      • memory/1248-100-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1248-94-0x0000000000000000-mapping.dmp

      • memory/1488-75-0x0000000000000000-mapping.dmp

      • memory/1716-86-0x0000000000000000-mapping.dmp

      • memory/1716-121-0x0000000000400000-0x000000000065D000-memory.dmp

        Filesize

        2.4MB

      • memory/1732-99-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1732-78-0x0000000000000000-mapping.dmp

      • memory/1768-98-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/1768-82-0x0000000000000000-mapping.dmp

      • memory/1824-117-0x0000000000000000-mapping.dmp

      • memory/1824-137-0x0000000001F90000-0x0000000001FCC000-memory.dmp

        Filesize

        240KB

      • memory/1880-108-0x0000000000000000-mapping.dmp

      • memory/1896-107-0x0000000000000000-mapping.dmp

      • memory/1948-149-0x00000000FF72246C-mapping.dmp

      • memory/1996-61-0x0000000000000000-mapping.dmp

      • memory/1996-95-0x0000000000CB0000-0x000000000130F000-memory.dmp

        Filesize

        6.4MB

      • memory/2000-138-0x0000000000000000-mapping.dmp

      • memory/2104-152-0x0000000000000000-mapping.dmp

      • memory/2136-156-0x0000000000000000-mapping.dmp

      • memory/2300-163-0x0000000000000000-mapping.dmp