Malware Analysis Report

2024-10-19 02:13

Sample ID 240104-dd4vvahhg7
Target 3fb54645fba660ad5c6824ccff364832
SHA256 de05db338a5854f13a46e498a6ba4484b7bd47062ed3adae9a93bb8cc767d3d9
Tags
vidar 706 discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de05db338a5854f13a46e498a6ba4484b7bd47062ed3adae9a93bb8cc767d3d9

Threat Level: Known bad

The file 3fb54645fba660ad5c6824ccff364832 was found to be: Known bad.

Malicious Activity Summary

vidar 706 discovery spyware stealer

Vidar

Vidar Stealer

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Kills process with taskkill

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 02:54

Reported

2024-01-04 02:57

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"

Signatures

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe

"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
MD 176.123.2.239:80 176.123.2.239 tcp

Files

memory/2968-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/2968-2-0x0000000000300000-0x000000000039D000-memory.dmp

memory/2968-3-0x0000000000400000-0x0000000002CBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAAD2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarAB71.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2968-63-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/2968-80-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/2968-81-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/2968-82-0x0000000000300000-0x000000000039D000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 5d21ca36b78ecb220e2548020bc15ed7
SHA1 d4103638ab888429cdb7fd86d19f5778892352ac
SHA256 023c3490c339e79524933c9f6f09c9882c2f8f9a4093ceeb8ec08c4e25f7ab2e
SHA512 a256b73741b3103d8f7938bcd7222c98f29d6d040df9795a10143c4aa1cced388dd343b2221b4aab2a30bda8b60db342aa1d6bac0db685107cba1bdd96595ced

C:\ProgramData\freebl3.dll

MD5 400f4a9df16c57408a470f8824d1b0db
SHA1 1c4303b161495e1ac9e8b45dc17d48ec8ef32ed0
SHA256 a2ead324e8fb1bf569d026d0976f83d2bf9d2162151ddc8ef0d5a58ccc5e168c
SHA512 a91f8f813d09621541f85f87ce9069f3da3e871d6c69255a023d7dca8f7a8b0e4aca51929837c5a3d3656a84f12285530d3f56cbcb01d09a94a420469bf308ba

C:\ProgramData\msvcp140.dll

MD5 fa4fb3509396425b35c3bd4a11aca709
SHA1 f69e03b83b5a714de42a727b3fa97dfe725193ae
SHA256 8eb400d985182a0458c0518cba4b4d9eff1fb9904acadcbb6c8a8d0567c69393
SHA512 c23c7e848be36cad5c041c170bd1402c9907ed2c9818cc19d9124bb4b95da96b70419da05b3d94375d45896b7cf5beb06fe6ea823495e4d93877b16f1c4f54ae

C:\ProgramData\nss3.dll

MD5 81fd90a928ef821dfadc577370c2523c
SHA1 06e88b20550f1e65077025ba1cde98528751bc13
SHA256 79828ce5c456dd06feb743bf1f452c61ef800a52112cda3ce16f67cb25dbb1d8
SHA512 cb989ecf19563594bc74b6898e621897f2a197e292fb6d99a1e411bbe649e8481bcc47af0b7a5c9625549fa8d99bf1250d72033ccdf41d4207bad0928f75c673

C:\ProgramData\vcruntime140.dll

MD5 f87daed56fdfea78c2ed2566f440bada
SHA1 db707626249bbd4424fe896c29cb207136f096a7
SHA256 3896a4c4b6796f244b4c038a504f07455dd482f6f778c6355fa73e50fb541cb8
SHA512 3c6dbf313a2d5894fec53b9ed99cbad648a9897f00434ed24c2f60e34142e480c6593c40859905e892e581d9834f3d186400f58c05de40b5ac60488c3ce9a395

C:\ProgramData\softokn3.dll

MD5 fd5d75c4ab3ba343a378324d9b05bbff
SHA1 9b31507eee93eb2e6fee07889f008f9668d14dd3
SHA256 63365e7603f9cac52ff6ccc52a83436cf8073a6a97491fd3c5a2ccc52088b7dd
SHA512 81e59c3670b7f4bc2eb60e1966607a57dfabb891d667c9bde57c5ab6d4c84d7358af5ae55fdac7555e147d6d228358639be735e792f59d1d776a4ffa053bdc5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 02:54

Reported

2024-01-04 02:57

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"

Signatures

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe

"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
GB 88.221.134.32:80 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1912-1-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/1912-2-0x0000000004A10000-0x0000000004AAD000-memory.dmp

memory/1912-3-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/1912-19-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/1912-66-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/1912-67-0x0000000004A10000-0x0000000004AAD000-memory.dmp

C:\ProgramData\vcruntime140.dll

MD5 f87daed56fdfea78c2ed2566f440bada
SHA1 db707626249bbd4424fe896c29cb207136f096a7
SHA256 3896a4c4b6796f244b4c038a504f07455dd482f6f778c6355fa73e50fb541cb8
SHA512 3c6dbf313a2d5894fec53b9ed99cbad648a9897f00434ed24c2f60e34142e480c6593c40859905e892e581d9834f3d186400f58c05de40b5ac60488c3ce9a395

C:\ProgramData\mozglue.dll

MD5 5d21ca36b78ecb220e2548020bc15ed7
SHA1 d4103638ab888429cdb7fd86d19f5778892352ac
SHA256 023c3490c339e79524933c9f6f09c9882c2f8f9a4093ceeb8ec08c4e25f7ab2e
SHA512 a256b73741b3103d8f7938bcd7222c98f29d6d040df9795a10143c4aa1cced388dd343b2221b4aab2a30bda8b60db342aa1d6bac0db685107cba1bdd96595ced

C:\ProgramData\softokn3.dll

MD5 fd5d75c4ab3ba343a378324d9b05bbff
SHA1 9b31507eee93eb2e6fee07889f008f9668d14dd3
SHA256 63365e7603f9cac52ff6ccc52a83436cf8073a6a97491fd3c5a2ccc52088b7dd
SHA512 81e59c3670b7f4bc2eb60e1966607a57dfabb891d667c9bde57c5ab6d4c84d7358af5ae55fdac7555e147d6d228358639be735e792f59d1d776a4ffa053bdc5d

C:\ProgramData\nss3.dll

MD5 81fd90a928ef821dfadc577370c2523c
SHA1 06e88b20550f1e65077025ba1cde98528751bc13
SHA256 79828ce5c456dd06feb743bf1f452c61ef800a52112cda3ce16f67cb25dbb1d8
SHA512 cb989ecf19563594bc74b6898e621897f2a197e292fb6d99a1e411bbe649e8481bcc47af0b7a5c9625549fa8d99bf1250d72033ccdf41d4207bad0928f75c673

C:\ProgramData\msvcp140.dll

MD5 fa4fb3509396425b35c3bd4a11aca709
SHA1 f69e03b83b5a714de42a727b3fa97dfe725193ae
SHA256 8eb400d985182a0458c0518cba4b4d9eff1fb9904acadcbb6c8a8d0567c69393
SHA512 c23c7e848be36cad5c041c170bd1402c9907ed2c9818cc19d9124bb4b95da96b70419da05b3d94375d45896b7cf5beb06fe6ea823495e4d93877b16f1c4f54ae

C:\ProgramData\freebl3.dll

MD5 400f4a9df16c57408a470f8824d1b0db
SHA1 1c4303b161495e1ac9e8b45dc17d48ec8ef32ed0
SHA256 a2ead324e8fb1bf569d026d0976f83d2bf9d2162151ddc8ef0d5a58ccc5e168c
SHA512 a91f8f813d09621541f85f87ce9069f3da3e871d6c69255a023d7dca8f7a8b0e4aca51929837c5a3d3656a84f12285530d3f56cbcb01d09a94a420469bf308ba