vidar | 0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0

Analysis

max time kernel
124s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda422a54b108ec592b499e0dc59e6c6.exe
Size

704KB
MD5

fda422a54b108ec592b499e0dc59e6c6
SHA1

8ee655935d7620a6d2f18f26d0532f9dfa8b56e8
SHA256

0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
SHA512

11a8e56836af1b1b86dbea68fc570535d2f74266fecda6fa9e6f90431d9596740632a35fa0ca86d8b9f58706425f3ecda2dc572f3c47bf7e2323c02f43ead52e

Score

10^/10

vidar discovery persistence spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 2 IoCs

Processes:

updatewin.exe5.exe

pid process

2072 updatewin.exe
3880 5.exe
Loads dropped DLL 2 IoCs

Processes:

5.exe

pid process

3880 5.exe
3880 5.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1232 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2072	updatewin.exe
3880	5.exe

pid	process
3880	5.exe
3880	5.exe

pid	process
1232	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fda422a54b108ec592b499e0dc59e6c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a9773302-c76d-41ac-9415-e41388c41e40\\fda422a54b108ec592b499e0dc59e6c6.exe\" --AutoStart"	fda422a54b108ec592b499e0dc59e6c6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
10 api.2ip.ua
20 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
20	api.2ip.ua

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3896 timeout.exe
764 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2488 taskkill.exe

pid	process
3896	timeout.exe
764	timeout.exe

pid	process
2488	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fda422a54b108ec592b499e0dc59e6c6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	fda422a54b108ec592b499e0dc59e6c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fda422a54b108ec592b499e0dc59e6c6.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

fda422a54b108ec592b499e0dc59e6c6.exefda422a54b108ec592b499e0dc59e6c6.exe5.exe

pid	process
4040	fda422a54b108ec592b499e0dc59e6c6.exe
4040	fda422a54b108ec592b499e0dc59e6c6.exe
3060	fda422a54b108ec592b499e0dc59e6c6.exe
3060	fda422a54b108ec592b499e0dc59e6c6.exe
3880	5.exe
3880	5.exe
3880	5.exe
3880	5.exe
3880	5.exe
3880	5.exe
3880	5.exe
3880	5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2488 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2488	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

fda422a54b108ec592b499e0dc59e6c6.exefda422a54b108ec592b499e0dc59e6c6.exeupdatewin.execmd.exe5.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 1232	4040	fda422a54b108ec592b499e0dc59e6c6.exe	icacls.exe
PID 4040 wrote to memory of 1232	4040	fda422a54b108ec592b499e0dc59e6c6.exe	icacls.exe
PID 4040 wrote to memory of 1232	4040	fda422a54b108ec592b499e0dc59e6c6.exe	icacls.exe
PID 4040 wrote to memory of 3060	4040	fda422a54b108ec592b499e0dc59e6c6.exe	fda422a54b108ec592b499e0dc59e6c6.exe
PID 4040 wrote to memory of 3060	4040	fda422a54b108ec592b499e0dc59e6c6.exe	fda422a54b108ec592b499e0dc59e6c6.exe
PID 4040 wrote to memory of 3060	4040	fda422a54b108ec592b499e0dc59e6c6.exe	fda422a54b108ec592b499e0dc59e6c6.exe
PID 3060 wrote to memory of 2072	3060	fda422a54b108ec592b499e0dc59e6c6.exe	updatewin.exe
PID 3060 wrote to memory of 2072	3060	fda422a54b108ec592b499e0dc59e6c6.exe	updatewin.exe
PID 3060 wrote to memory of 2072	3060	fda422a54b108ec592b499e0dc59e6c6.exe	updatewin.exe
PID 3060 wrote to memory of 3880	3060	fda422a54b108ec592b499e0dc59e6c6.exe	5.exe
PID 3060 wrote to memory of 3880	3060	fda422a54b108ec592b499e0dc59e6c6.exe	5.exe
PID 3060 wrote to memory of 3880	3060	fda422a54b108ec592b499e0dc59e6c6.exe	5.exe
PID 2072 wrote to memory of 732	2072	updatewin.exe	cmd.exe
PID 2072 wrote to memory of 732	2072	updatewin.exe	cmd.exe
PID 2072 wrote to memory of 732	2072	updatewin.exe	cmd.exe
PID 732 wrote to memory of 3896	732	cmd.exe	timeout.exe
PID 732 wrote to memory of 3896	732	cmd.exe	timeout.exe
PID 732 wrote to memory of 3896	732	cmd.exe	timeout.exe
PID 3880 wrote to memory of 2484	3880	5.exe	cmd.exe
PID 3880 wrote to memory of 2484	3880	5.exe	cmd.exe
PID 3880 wrote to memory of 2484	3880	5.exe	cmd.exe
PID 2484 wrote to memory of 2488	2484	cmd.exe	taskkill.exe
PID 2484 wrote to memory of 2488	2484	cmd.exe	taskkill.exe
PID 2484 wrote to memory of 2488	2484	cmd.exe	taskkill.exe
PID 2484 wrote to memory of 764	2484	cmd.exe	timeout.exe
PID 2484 wrote to memory of 764	2484	cmd.exe	timeout.exe
PID 2484 wrote to memory of 764	2484	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\fda422a54b108ec592b499e0dc59e6c6.exe
"C:\Users\Admin\AppData\Local\Temp\fda422a54b108ec592b499e0dc59e6c6.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a9773302-c76d-41ac-9415-e41388c41e40" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:1232

C:\Users\Admin\AppData\Local\Temp\fda422a54b108ec592b499e0dc59e6c6.exe
"C:\Users\Admin\AppData\Local\Temp\fda422a54b108ec592b499e0dc59e6c6.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\updatewin.exe
"C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3896

C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\5.exe
"C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\5.exe" & del C:\ProgramData\*.dll & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
54e60fd0149fe960a1bb51d1a63724b3

SHA1
8edc3d0d641441a72c642c3e96dabfe8aa9877a8

SHA256
7cdb049d052b55ee9c2ba9096e8cf7e1f9117d2898c1679ab2ef2e8683356309

SHA512
090766a3ae2e7d091ee0f22ce954373327d9642e10451f55342b76b1aa444c8e16cc4102957570e08d7fa19b1e17fe34f8a764f8c041c82f799d095ccf0f357b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3be96afd7b9e0ff481b665d594167224

SHA1
aff8ca9cc93425b2c20b55aaf1c1e0b56f347144

SHA256
36981629cd13aef6fa93a598db9dd7745d491fb7bee57b235ddcb66f1a8c5799

SHA512
76df4e5a44f6be6e75136550ebdc4bad504cafeef08c2a3f3730343f43b22771b8a3f9ba6ea5b755ed4e674257754bf29b2b8197f9bc0894219dde5f34821299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
126e4daef555646b6d55cef384989930

SHA1
8b6db0a77a3af6b0f0adf953f42391dd00201d08

SHA256
0c1077b508ca7d96e41ff9c5c419f9c236d46fd2b17760dd553b3291e5019e6a

SHA512
fc666b3f86789e3af69226945cd99b47a0583c3c52e94ed57ca46cbf9a327b50a49ca807ec8da4550f87f2c8e18a49a536de0d02b9515c57dc21f0a8ee651b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
cc6af27281e9270942c00dc8e219f468

SHA1
15e44a7eca994bd0b0d7d2d51f56ef5334fc8dc2

SHA256
12cbdda4250b8d27190c9b766826b0b3e3e88644621ec8c7f5f9b0b821b75282

SHA512
6f05a9ed43df0caa4bf50c92aa13b83cb9c749f6c1f09bea51429a07035c9eb3c4939943ee2a7e6e7bd632046e222cad54bb8d422da83762fe59268dfb3bfc7b

Download Submit
C:\Users\Admin\AppData\Local\a9773302-c76d-41ac-9415-e41388c41e40\fda422a54b108ec592b499e0dc59e6c6.exe
MD5
fda422a54b108ec592b499e0dc59e6c6

SHA1
8ee655935d7620a6d2f18f26d0532f9dfa8b56e8

SHA256
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0

SHA512
11a8e56836af1b1b86dbea68fc570535d2f74266fecda6fa9e6f90431d9596740632a35fa0ca86d8b9f58706425f3ecda2dc572f3c47bf7e2323c02f43ead52e

Download Submit
C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\f09a83d7-e522-463d-86a4-2924f39ef0db\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/732-31-0x0000000000000000-mapping.dmp

Download
memory/764-35-0x0000000000000000-mapping.dmp

Download
memory/1232-5-0x0000000000000000-mapping.dmp

Download
memory/2072-15-0x0000000000000000-mapping.dmp

Download
memory/2072-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2072-23-0x00000000009C0000-0x00000000009F6000-memory.dmp

Filesize
216KB

Download
memory/2072-21-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2484-33-0x0000000000000000-mapping.dmp

Download
memory/2488-34-0x0000000000000000-mapping.dmp

Download
memory/3060-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3060-8-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3060-7-0x0000000000000000-mapping.dmp

Download
memory/3880-28-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3880-27-0x00000000009A0000-0x0000000000A35000-memory.dmp

Filesize
596KB

Download
memory/3880-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3880-18-0x0000000000000000-mapping.dmp

Download
memory/3896-32-0x0000000000000000-mapping.dmp

Download
memory/4040-2-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/4040-3-0x00000000025A0000-0x00000000026BA000-memory.dmp

Filesize
1.1MB

Download
memory/4040-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download