vidar | ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3

Analysis

max time kernel
66s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
25-03-2021 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
Size

784KB
MD5

1d963f2296c5363f16dff1165cb8e413
SHA1

15f699a8a754a937081a27ab75d4a793b82993e6
SHA256

ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
SHA512

a76bf1f1398800ee0a09088d42dc38ce2d42b66e24a8cb4c97f1c055702483193467b562740c808106fa813614425304993f16e9a101e1e8202deec4ef65e2be

Score

10^/10

vidar discovery persistence spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 2 IoCs

Processes:

updatewin.exe5.exe

pid process

1324 updatewin.exe
2136 5.exe
Loads dropped DLL 2 IoCs

Processes:

5.exe

pid process

2136 5.exe
2136 5.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3708 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1324	updatewin.exe
2136	5.exe

pid	process
2136	5.exe
2136	5.exe

pid	process
3708	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\189211a5-3899-4f19-aea8-f304a83bbcd7\\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe\" --AutoStart"	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
8 api.2ip.ua
11 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
18	api.2ip.ua
8	api.2ip.ua
11	api.2ip.ua

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2220 timeout.exe
2268 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2748 taskkill.exe

pid	process
2220	timeout.exe
2268	timeout.exe

pid	process
2748	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ed8a7ffec56f450a365e758012db092883bbd23565f3f.exeed8a7ffec56f450a365e758012db092883bbd23565f3f.exe5.exe

pid	process
412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
2136	5.exe
2136	5.exe
2136	5.exe
2136	5.exe
2136	5.exe
2136	5.exe
2136	5.exe
2136	5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2748 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2748	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ed8a7ffec56f450a365e758012db092883bbd23565f3f.exeed8a7ffec56f450a365e758012db092883bbd23565f3f.exeupdatewin.execmd.exe5.execmd.exe

description	pid	process	target process
PID 412 wrote to memory of 3708	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	icacls.exe
PID 412 wrote to memory of 3708	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	icacls.exe
PID 412 wrote to memory of 3708	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	icacls.exe
PID 412 wrote to memory of 3608	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
PID 412 wrote to memory of 3608	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
PID 412 wrote to memory of 3608	412	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
PID 3608 wrote to memory of 1324	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	updatewin.exe
PID 3608 wrote to memory of 1324	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	updatewin.exe
PID 3608 wrote to memory of 1324	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	updatewin.exe
PID 3608 wrote to memory of 2136	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	5.exe
PID 3608 wrote to memory of 2136	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	5.exe
PID 3608 wrote to memory of 2136	3608	ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe	5.exe
PID 1324 wrote to memory of 3360	1324	updatewin.exe	cmd.exe
PID 1324 wrote to memory of 3360	1324	updatewin.exe	cmd.exe
PID 1324 wrote to memory of 3360	1324	updatewin.exe	cmd.exe
PID 3360 wrote to memory of 2220	3360	cmd.exe	timeout.exe
PID 3360 wrote to memory of 2220	3360	cmd.exe	timeout.exe
PID 3360 wrote to memory of 2220	3360	cmd.exe	timeout.exe
PID 2136 wrote to memory of 200	2136	5.exe	cmd.exe
PID 2136 wrote to memory of 200	2136	5.exe	cmd.exe
PID 2136 wrote to memory of 200	2136	5.exe	cmd.exe
PID 200 wrote to memory of 2748	200	cmd.exe	taskkill.exe
PID 200 wrote to memory of 2748	200	cmd.exe	taskkill.exe
PID 200 wrote to memory of 2748	200	cmd.exe	taskkill.exe
PID 200 wrote to memory of 2268	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 2268	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 2268	200	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
"C:\Users\Admin\AppData\Local\Temp\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\189211a5-3899-4f19-aea8-f304a83bbcd7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3708

C:\Users\Admin\AppData\Local\Temp\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
"C:\Users\Admin\AppData\Local\Temp\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\updatewin.exe
"C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2220

C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\5.exe
"C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\5.exe" & del C:\ProgramData\*.dll & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6f9501f45b2159aaf154d33a937ef6e7

SHA1
7d36f2e3b2e22637910ccb6116ba329bb2008ba3

SHA256
8224875e3a039c7e2a808e232274ae1dd9507f68a537d413eeeb71f45a061364

SHA512
96fd8786083af7af18913cc9317c8f79646a5633658e87d743aa5d6a33c991a14fbc75e0a29f4985b31078eeaf6e7412f70416fd3274a084f41e03ee3e6614c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e644cdbe0fd68a6ece0559497c45bf84

SHA1
c809996c27832b39bfcf183ea162f2f7c2436a0f

SHA256
082e4c7215addf5bb77a8dbba1bb9fbc2db49c0db4f84124aa3c1d2ad51f8657

SHA512
679e8bf80e8a001873f92b3c3d3e09c69f032053fad6afc451108ac1c2d5fad1bfe5b339a5dbcced6daf229d6cba5ae322929998fc51999d96576e424e3e9106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
e44701ffb3c15fcacc229d3ab7c7e09b

SHA1
939d74e0457d0f65684d9f556fc96cd8203f5383

SHA256
cb6800568be911b39d92b43728ab8c9dc6fa97a83a7015fc00ba7ca47d39ff41

SHA512
235245352e2c7b5d9753f869b04447198f631b96cb983dad8ade27a1e209f509816ab9078295b08badc8b49b39def9a742f80376a21c6f4b1b17af88e34d235b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c62dfc2eff00bf0674bc66bf4fc328d4

SHA1
2abd718c3504900f3e712212a8c2c43af4a58826

SHA256
c7e8880ef7ab2879ea9e668caa6c82eb9d3bf78f5a1e1a90fd3bc8d0466b1475

SHA512
c3581294a76e6d814b636699b221b2d32f1d72cd681e8b8562d6fb731f69fc155ce40e5a5ef453704daf87d8fada935ea866b512562e7015ce6a7f3f8beeb49c

Download Submit
C:\Users\Admin\AppData\Local\189211a5-3899-4f19-aea8-f304a83bbcd7\ed8a7ffec56f450a365e758012db092883bbd23565f3f.exe
MD5
1d963f2296c5363f16dff1165cb8e413

SHA1
15f699a8a754a937081a27ab75d4a793b82993e6

SHA256
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3

SHA512
a76bf1f1398800ee0a09088d42dc38ce2d42b66e24a8cb4c97f1c055702483193467b562740c808106fa813614425304993f16e9a101e1e8202deec4ef65e2be

Download Submit
C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\5.exe
MD5
212b12e2686111514455c97b689c8457

SHA1
2c39181e491ccea8f3eb1020b698bfaf57b31c15

SHA256
a8fe17654d8f2a952fee93bd6e78864ee4a2e766c92e6ba7dda2b0117e1ef97a

SHA512
cec5e902dce2dd4d70eef4ca835efa2704e49c434dd81e2b99100df76b1b095110e11b54ad5d2036d60f5378bf5fd637c5e0d36b7fcd3c0cd9cd77bc34c95346

Download Submit
C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\5.exe
MD5
212b12e2686111514455c97b689c8457

SHA1
2c39181e491ccea8f3eb1020b698bfaf57b31c15

SHA256
a8fe17654d8f2a952fee93bd6e78864ee4a2e766c92e6ba7dda2b0117e1ef97a

SHA512
cec5e902dce2dd4d70eef4ca835efa2704e49c434dd81e2b99100df76b1b095110e11b54ad5d2036d60f5378bf5fd637c5e0d36b7fcd3c0cd9cd77bc34c95346

Download Submit
C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\updatewin.exe
MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
C:\Users\Admin\AppData\Local\2f61fc79-6c97-412e-8d7d-9ad96872610c\updatewin.exe
MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/200-28-0x0000000000000000-mapping.dmp

Download
memory/412-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/412-3-0x0000000000CC0000-0x0000000000DDA000-memory.dmp

Filesize
1.1MB

Download
memory/412-2-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1324-15-0x0000000000000000-mapping.dmp

Download
memory/2136-18-0x0000000000000000-mapping.dmp

Download
memory/2136-21-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2136-22-0x0000000003080000-0x0000000003116000-memory.dmp

Filesize
600KB

Download
memory/2136-23-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2220-27-0x0000000000000000-mapping.dmp

Download
memory/2268-30-0x0000000000000000-mapping.dmp

Download
memory/2748-29-0x0000000000000000-mapping.dmp

Download
memory/3360-26-0x0000000000000000-mapping.dmp

Download
memory/3608-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3608-8-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3608-7-0x0000000000000000-mapping.dmp

Download
memory/3708-5-0x0000000000000000-mapping.dmp

Download