vidar | 3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066

General

Target

3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
Size

2.7MB
MD5

b9e5e995024fe62b794d64f9a9fa4c4b
SHA1

37f08df51635d37df59129d5fef58acd82b5cee2
SHA256

3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066
SHA512

1b42289de9f7c2d3b9312965d19dfc6bb9a1bca9332d06ee6c5d79e915228c6e37f5e4e1bf5ae4579bad51808cee9e8224ee94a684dc0125223571580adc1291

Score

10^/10

vidar 231 discovery spyware stealer suricata

Malware Config

Extracted

Family

vidar

Version

11.3

Botnet

231

C2

http://tonetm.com/

Attributes

profile_id
231

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4160-143-0x0000000000400000-0x0000000000593000-memory.dmp	family_vidar

Executes dropped EXE 2 IoCs

Processes:

YoutubeDownloader.exebinhost.exe

pid process

3496 YoutubeDownloader.exe
4160 binhost.exe

pid	process
3496	YoutubeDownloader.exe
4160	binhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

100 ip-api.com

flow	ioc
100	ip-api.com

Drops file in Program Files directory 17 IoCs

Processes:

3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Extras.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\AngleSharp.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Newtonsoft.Json.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\System.Windows.Interactivity.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\MaterialDesignColors.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Tyrrrz.Extensions.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YoutubeExplode.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.Platform.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\GalaSoft.MvvmLight.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Tyrrrz.WpfExtensions.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Microsoft.Practices.ServiceLocation.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe.config	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\MaterialDesignThemes.Wpf.dll	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\binhost.exe	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

binhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	binhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	binhost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000009c81b1bdbe1567e22dd694f987f9353d1b3875258614e75dbb633ad31944eada000000000e8000000002000020000000af089ba753398d3c2d00a4151c4b4d55488db9e688ffb5e967aefa7fbad22ada200d00003b09596ea69d1dd7e97dd73717586a92f81c5dc9086b10864ce3cb6bf0fd1e5d59e88587561e51d449049efd835e1c37e5c4ed14a3497e0be783ad8703dd2936152c8834d02a0b7e90dc78e69bb40ab007c6b1562fe13f50afee02cbddc801b88f2ce4f9ca02858e38ffbe230b2ac41f1979a238eae353d62f7edffa6a38622db6dd0772b068f46b26f3557cbcb729220aa7a71111de195607f8b75295f2a88d5924fdee0f6f8c17f8fc211f06c129c0c4db3697dfecf009450c1f1828da010a0fb7079a64e910c1662ce3cb7f0b479ba367dda7c044763eaedd43b765c3083f034d646ba9dc6564616729dcfc51b78bde84c00e38b06618c1959474c46a92115f1566a629d943c70784a20c9a97339620f865867b8c89c6bdb2bdca195b79976a95d88a1efe686ff443e38474def7209ceadfb54a71d477cfcf32577a8f9f794ac499265e4264bc9570fbba5a4c2f18eb9a1cc2d74244429059f7cfd10977d8d9e6c30bff54ee4976f6b9e0fe98375060b1e3f39d8c53c40c1f9baa2525305a5c9a64b781a2cdffb2a7708fb95f821aec5036c927c7261a5cb89856cebcc5992ee607d89445af44f6c07009fa5edb3bad0e550b3990fb9fd076aadcc746a8e33af4b2c2a1a9a76a7bd9f1785eb8705825fe078dffd14f4ef5bd7c52a01444131aceeca3afb77b26c16cc54071fc0e4e4be2457bd4e333b5ace371c08e8b29891d37d791ffeb9d151dde2442952cb6b697d25518f3a95ec44852fd41adb51a85b10e62460ba8e5360a24c398a11e72cb883543d9a880ac1d01582ad9f3672f4c2ac25c1b30d3d3eed958fc8074ed9d4283167c0680fd453373c34469bb995111837c906ccfdd7c7079273f7d9381a16723a562ae7b0f2749f014a9be2eef22e735c959bc01a3a76463da12fac7463d7b6a60d72d8d2bc0f253626a84dcadba01e4c9d7f0c28593aa0f0ac2a5527ce598f0101815337480d691cda713538c429f3dd2c90b57acffd448eb78ff81748e68ec39fc87157e3652808568ed5e1ccf7073001c78da35bcc501629a08b0c7ee88a0430a1e5244bb5398c645d278eb9c0e0129d33179bcd13b3e796352b3bf1f31914401c8d1659d1a758834317b081f22c8956a19a565318d4a4559618f4298160046c5f19e374d91fa7c68bf97a1f49343ce5bd99c67a97e75302b9d6e41538a63bf2e1d0fbb8b6c0ae00f14f83c337b35f61402b0f7cddba7d0cfbbc66e59498c2b25f7d0ced9ac81e2c9e01bf6a1f3d3b7186b025e8cea1e45cd4665aefac5e0c34b299863a4da7a3319b3fab430fdf53019088efc6203f7b82e1e2e07ee75c444ca09b6a01f8147ff0420cc939b5397669b3fd026c2153c3504baea737ea54cb94e7793c19489fc5c705d80cc89b837849ef2102bc0a011e2ea2e9c70389e7ae60444884e9e6dbe7c81b2deca154d324030019898d2845bdddfa6f2901a80156bbd7ab54a69d6d05d8751181ac5a57ff1296e5895e4c49f2cdbce024fc102c9d605b1db6646eb5e9bfbc40a28b3b8a44d7b194742f7b13f51e3f4c03808196cf193c433c8caf0a001bbbe619c36b8ba73caa994b248b32a90861f1d9d01270558bc2d3ed25724398f3cdd5046d940ee5304b39f32beae6b9402b87f22ae923800433264cef301605c207c94350d883d33f3816beb0315308699fafd4fd02ce5db3b6029b6e6dfca9d0e205656856d878e63b96c0c3c3446449158076e27fb6b01e596ece99174be7c91aaf0bca0d033b441ce3d395b55e44f30949c04ccefc5dc07ab0e10398ab22a112e806282f6dfa1bc91593b8c4eac9c9615d1980fa96f1b1a173584ebfd2efe0dbd69b8063c69dd2165331bef6dad42ad2b9aa54857131b773c0f0ff5a1a46f7728268b6feb380c81620e3c41b06c272e009d275e837061c0ccc0923ee9642c9482c76d45577fb26a30f3aad8e428f786aaa532426dae11d332668baf08301ec7bb289ca2549b1bc07adb9cd15fee15feeda222101a364bf27f016b66dfbff1161c1ed8cb8611f98919432354f7f986a3971ee4ab0f60199195f7f40121ded1d764665d97c9f84b2114ee6027ab46005498be7362423665a5dd4f71fc9bbe1881c4373eb58a5d4e54a45a9ac6d25f86363b4ad7ec20b800fdbf00539d635f59d1bbe03e2780f62506e9c0b0b980b0fbb459729020ac7e574fa7ae9713b79987121fa6c91b81720351235d5699cfaff5a55dac0234ac7a3e0bcdeeb2cb651479efbadf80e07a8c5ebc70a8f227469ead869f2d65b6ba07c72fb9c5c3575fc7127c7f9914756dfb3fae716d00b30cfd2985b72683dfabce7c459c957fc09257e45c1deb9369681f6de6977e4db034ca3c3e7df0424fe359058010d01d41beed434af35cbbfa7eaf64d5f0ba354689299586f1fb6759f45e720763f2ca4697f266ebf78fa0483b7092dfddf0a1db3efcb42bf817554bd31d378a5fa840ad3c02a190b12602316b9660bc1fe02fcc9662346dd08bbb8423cfba1a8f0fe284cf0c2564fe03e7288b69f11456c22a4e8b243a6656160f6f20858ae224199947d30de20a35912ac09b4a0409e2ed1c0a2bb5901abf70c16f7c8489a64c2ccd1da0dee32c1a8cd40460f5438c8a9941f60df42335178b0ee66f21910900a75833885e683d8743859b26666a1cb76208333d8782b50a2449d35393782865b1ac5489206bc5d7639c507e8c14938fea40a343185dc63ee4b38d905830303dd6f41f08a01f8a0b01e30e98bb6e415cdc6e5d9f00541d9e2fe2989df9d10d930ef440f53164b4c58f91abfe9b26d35195a39c540edfb6663ddd0f2e437c75d705c83a4406c5abd54d1640ce04e858f56566dcb36ef66263c95561c169460ac5fec240b6a1a2fb8a7a3da6b56e59bf43261ae603572e80836b47267a26f42547b4affea66f93c3bb3f9b13362b033363341a054158b9c699536a31f20fa01f33bb7c2172a5ddfd951f5fe8007986ba4763c49820ba8f755b31da4fbf94bd53aa3bd5f35cca566883b16d84f8820ee7e7b2bfb1d73bacef1f24834832f0e92e8debd13e7d417f37ab5f4f9080d4182b525998b296fb239d0d6377fbbf7ccadfbd54c1e43de648fc8f6ddced5ed97fed11b9d0d694acea8edc3a86fee91f20b47def7d036c81e2cfd3e64ee12cfe8257f2a4592b548509205181c59115953cde223f86161606d89ecb32334311e5c6917d6d3b59ee88b72841a857460cc7e717aa14ed4adcbc424de1925b635f01f969aab4357f173f61085888a9cfaf27c0e5d6a7e92335a26e31866e587d6ce817d5b077628b7afb5ec6b12a9c003859c807b02babc0845af95858cf77888b8609cec148c8e24d9d0bb44902575841a1d4b65062eb875c0f959d7c283b170354f82f01e1d068e4b8dad3c1dfaa0cc8405f32d1828f8b74aee99d6d16bf3c258e158d550a7ea364c137cd0cba0e0493b7634b73dea659c8b199e8e7b72080abe688b831aec976bd507881245da83397e0c84b8aa84c65962c28984862b947bc00187ead3952d3ffab7f466d833474b42ec6e6be3fd55bd0386389b5971fe5991eee46f367da84af4a242abe6bfe07ada2b2ee1951f577e918899f22eebda848738dc874508e92b0b713229b168bdce1b7fc6b973c21f5cc5ee4971df72976b98cbfeba4a7f6484f814a762968a0ad140fc429fe348054545159d2110ca16aba1e427f1f7c004ba7aa6b0dcc8e9e5bb40374654a98933252b6637b90288faa2b24f356896bc9a982f6e405af031400b9f6efe26caef4f1d1232df36a9363acf132c4ed32f544f8bc56f81a1b0f81c1f141f6175e68a99b84c8094c7f58d00e819ae7427e3f0840f28f1e8f1b260037c9e0385a443f667dea790e02b635f5ff77c61ddc24fa8f816c0f25e03ab9cd8e82cdb2079ccb91bec3dc32129d2e03f9d0e780ca5ced262190ad3fdf1e1332e06dcecc271a866b06c13abf4687d595a30590ddc32b1bf90819887ed9831c1e76a6d3fcde69e06da07c495a535123ca98aeb82bfdfd4d3014084a606026ed0c729bd42f29ab6ce17ce593fb9ae6674b205fce1c40a70421a3c81903cc5d8b5b1b204928c88390f46a35cb461141eb94a38e56d20dfd12afecfca0860edfedb33f26cd137dd16971715952a0897d0daf22354d6e79c753f6e23b870035a15859af313f400f29dc51145277cdc51a5111a102061710112cac1f0ce38e618e61a0c0a2ae6cd28073716606d061ef9250a5a1358d64df963d9d0d9fba1876e822d014e7a131ca94489bc422a9dba4b001b4aa09637a74d88d3c989a89089be411b77c262176f0c9c7f8049a515d560acb1c6f38f97dc6f94396be05e6f9f48a81162335931a4291c5c7699af42499c648f07a22fccefe9aff0726b14b99edbeff400bccefec695814de241acb0ef92bc454eeaeec6357b6b2cc048bc94db3c99d6f9fd559b206fd2f045a50de451ee098354b69c16034c44042e36e5c1f0a9a30e74dc05e9ecf9035916c06a081ab3ee52ce9e50fb12ef31f7698c6c4cf9f5e178d09a4261be19ca0190a6e322bb3d4b88047e1cd4becbee9ce23d7d603d9df40e14dae37d8a2ddfa1b4756a32b862e9db20ada2d7a890e68ffac7e88b82e8f688769de95d42b75939cac72b31f5517178fc44b96ace8f3127da116a73f791141ade845a471e3cea6ca8ae6b079602440dd4a5d82437f397a10b39b8b473eb44e2fbb9f3259ce93fab0707edc4309bccf4f3457400000002642e1b1650db4dcbda003f666a5192512ccb1054195edd8539f0208ebbb9a73f3e9d43bc5686b8e70fd014a9351eb50230b5efcaa4c4efafecbc5c9c293ba7a	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005EA59D967"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005EA59D967 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000bae7cfc8fc8539b3ade6f094d99128fd885dfc63ecc4858cab0a0e9468bce641000000000e80000000020000200000007909ec93f4ba089120895e6133e5d9dcb7eb4de5c7aac840587628407774e65380000000ef1f6a3e272ff720d140a9bb8fb6c7647ef58614c6b298d4edc77f6572751b6148c0ed67edcc95643aa5770798e96ed6708e593eb7d01c9db1e37584f5387a937a7ada1c1a2309c773062a71f2d789f19b11a7c94844cb13b8da162823b8f58de9568a8483b1368ba5739fa89a6277697b243ef50950249b6cb423ba077597b340000000d3cd3826fbd0a73f6ee4e30a157018900d9ac4bc5ddbfa1465686eaddbd829cf75d01a9af4dbab5e8221521d5c7bd9921202ccf55242551687d481d356c90782	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

binhost.exe

pid process

4160 binhost.exe
4160 binhost.exe
4160 binhost.exe
4160 binhost.exe
4160 binhost.exe
4160 binhost.exe
4160 binhost.exe
4160 binhost.exe

pid	process
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe
4160	binhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe

description	pid	process	target process
PID 4300 wrote to memory of 3496	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	YoutubeDownloader.exe
PID 4300 wrote to memory of 3496	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	YoutubeDownloader.exe
PID 4300 wrote to memory of 3496	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	YoutubeDownloader.exe
PID 4300 wrote to memory of 4160	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	binhost.exe
PID 4300 wrote to memory of 4160	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	binhost.exe
PID 4300 wrote to memory of 4160	4300	3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe	binhost.exe

C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe
"C:\Users\Admin\AppData\Local\Temp\3126a3b54875a1ec03175d65d9d149c7cb19c6bcd79546454ecd911914335066.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4300

C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
"C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe"
2⤵
- Executes dropped EXE
PID:3496

C:\Program Files (x86)\LetsSee!\binhost.exe
"C:\Program Files (x86)\LetsSee!\binhost.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
MD5
ede675d5acdfd0443596ee2a6c99735c

SHA1
f3b0cc4d1af3b02154a151207e7daa330314413d

SHA256
e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98

SHA512
135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b

Download Submit
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe
MD5
ede675d5acdfd0443596ee2a6c99735c

SHA1
f3b0cc4d1af3b02154a151207e7daa330314413d

SHA256
e9d074f94fec9ea94ea8feccc39ae530942cffa9cba580cea99ad8799c907c98

SHA512
135114b1ae3daabf49f22b7e5ab4f0c0c16c1cf3c2548732fd30947ed889337f6d46ba165f3f07f33a464dede522a854245ccee0ffddca3352c0bae389e9575b

Download Submit
C:\Program Files (x86)\LetsSee!\YoutubeDownloader.exe.config
MD5
49250225471120d8da1e20614bdf5820

SHA1
25162ea18b0789f2316f3ebbde159aea66720122

SHA256
4b58aa26ed3a8fe1ebee192229900c54bf2931284b11e646f7b5fe979b2c42e6

SHA512
c91bdb500501f489925741841d657790702eeca421d622484773a87a10a9e7de638069e435916b5f3d23bde08b9a5660e82583eef4fd1dd76fee1fbe33079f07

Download Submit
C:\Program Files (x86)\LetsSee!\binhost.exe
MD5
006689bf2ae6f8f91c8fe68c0fdf59b1

SHA1
ddc928347c31db71f4d6ffb3af71d05d092a4db7

SHA256
40ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d

SHA512
407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272

Download Submit
C:\Program Files (x86)\LetsSee!\binhost.exe
MD5
006689bf2ae6f8f91c8fe68c0fdf59b1

SHA1
ddc928347c31db71f4d6ffb3af71d05d092a4db7

SHA256
40ed409c1df89bb6366f336d10cc369006f361f772ba27f21bb4a2b96f4c650d

SHA512
407710d2c6a8bf96dd044ae2c7dc9479ba6dc2ce9a00a1b9956d45fe2bdc2e8e6ed7bfadbeaed4a1952972342238b5ca009ffb5a74aabd60280732bdb2558272

Download Submit
memory/3496-134-0x0000000000000000-mapping.dmp

Download
memory/4160-136-0x0000000000000000-mapping.dmp

Download
memory/4160-142-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/4160-143-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads