017599a9b7ddc4b7cb519c4ee39412693e0ea4bb489bae78894bf51850cfcbfe

Analysis

max time kernel
111s
max time network
114s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30/01/2023, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemeeterSetup.exe
Size

13.1MB
MD5

9194dea9983f846cd2590815c5ce8bd6
SHA1

c7b378749a703e8f4f2c7e752087f27592bb0a68
SHA256

017599a9b7ddc4b7cb519c4ee39412693e0ea4bb489bae78894bf51850cfcbfe
SHA512

687cea0b925ea45df6805c436a065e41320e5299fb6354af441869d1c4f34ff9f9884cc671e43f1f4dd02e3730ad34c4f14ae986e3a560d936f23963fb9fb2b2
SSDEEP

393216:W4lDeyKfwlLCfU00Sv4FjlsrHk3HNvizuskBB+3wdXH:W4lDeyKoZC800G4grHgtKKsQBRlH

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SET2EAF.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET2EAF.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vbaudio_vmvaio64_win7.sys	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
936	VBCABLE_Setup_x64.exe
1680	vbregsvr64.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe

Loads dropped DLL 16 IoCs

pid	Process
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1680	vbregsvr64.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe
1552	VoicemeeterSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D6C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D7C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	VBCABLE_Setup_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	VBCABLE_Setup_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	VBCABLE_Setup_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbaudio_vmvaio64_win7.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D6C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D7C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvmvaio64_win7.inf_amd64_neutral_e5670da91b77c9f8\vbvmvaio64_win7.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vbvmvaio64_win7.inf_amd64_neutral_e5670da91b77c9f8\vbvmvaio64_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D6B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\SET7D6B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbvmvaio64_win7.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbaudio_vmvaio64_win7.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win7.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbusbgpi_uart_xp_vista.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_xp.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAudioLogoBlack_72x72.png	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAudioLogoWhite_72x72.png	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win10.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win10.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_ControlPanel.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_2003.inf	VoicemeeterSetup.exe
File created	C:\Program Files\VB\CABLEVM\VBvmvaio64_win7.inf	VBCABLE_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_win7.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\MacroButton_72x72.png	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win10.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\readme.txt	VoicemeeterSetup.exe
File opened for modification	C:\Program Files\VB\CABLEVM\VBCABLE_ControlPanel.exe	VBCABLE_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win7.cat	VoicemeeterSetup.exe
File opened for modification	C:\Program Files\VB\CABLEVM\VBCABLE_Setup_x64.exe	VBCABLE_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_vista.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\button_72x72.png	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_vista.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_win10.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_xp.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_2003.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe	VoicemeeterSetup.exe
File created	C:\Program Files\VB\CABLEVM\VBCABLE_Setup_x64.exe	VBCABLE_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VMStreamerView.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterRemote64.dll	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe	VoicemeeterSetup.exe
File opened for modification	C:\Program Files\VB\CABLEVM\VBvmvaio64_win7.inf	VBCABLE_Setup_x64.exe
File created	C:\Program Files\VB\CABLEVM\VBCABLE_ControlPanel.exe	VBCABLE_Setup_x64.exe
File opened for modification	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterSetup.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterLogo_72x72.png	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_xp.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_vista.cat	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBDeviceCheck.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver.dll	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterRemote.dll	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup.exe	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_vista.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbusbgpi_uart.inf	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win7.sys	VoicemeeterSetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterSetup.exe	VoicemeeterSetup.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	VBCABLE_Setup_x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\inf\vbusbgpi_uart.inf	VoicemeeterSetup.exe
File opened for modification	C:\Windows\inf\vbusbgpi_uart.inf	VoicemeeterSetup.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	VBCABLE_Setup_x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{52AB6781-A0D0-11ED-BB5A-5A9C998014C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	VoicemeeterSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver.dll"	VoicemeeterSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	VoicemeeterSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver64.dll"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	VoicemeeterSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	VoicemeeterSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	VBCABLE_Setup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	VBCABLE_Setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VBCABLE_Setup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VBCABLE_Setup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	VBCABLE_Setup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VBCABLE_Setup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VBCABLE_Setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	VBCABLE_Setup_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeRestorePrivilege	1400	rundll32.exe
Token: SeBackupPrivilege	540	vssvc.exe
Token: SeRestorePrivilege	540	vssvc.exe
Token: SeAuditPrivilege	540	vssvc.exe
Token: SeBackupPrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	268	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeLoadDriverPrivilege	1356	DrvInst.exe
Token: SeRestorePrivilege	936	VBCABLE_Setup_x64.exe
Token: SeLoadDriverPrivilege	936	VBCABLE_Setup_x64.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1280	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 936	1552	VoicemeeterSetup.exe	28
PID 1552 wrote to memory of 936	1552	VoicemeeterSetup.exe	28
PID 1552 wrote to memory of 936	1552	VoicemeeterSetup.exe	28
PID 1552 wrote to memory of 936	1552	VoicemeeterSetup.exe	28
PID 268 wrote to memory of 1400	268	DrvInst.exe	30
PID 268 wrote to memory of 1400	268	DrvInst.exe	30
PID 268 wrote to memory of 1400	268	DrvInst.exe	30
PID 1552 wrote to memory of 1680	1552	VoicemeeterSetup.exe	35
PID 1552 wrote to memory of 1680	1552	VoicemeeterSetup.exe	35
PID 1552 wrote to memory of 1680	1552	VoicemeeterSetup.exe	35
PID 1552 wrote to memory of 1680	1552	VoicemeeterSetup.exe	35
PID 1552 wrote to memory of 1280	1552	VoicemeeterSetup.exe	36
PID 1552 wrote to memory of 1280	1552	VoicemeeterSetup.exe	36
PID 1552 wrote to memory of 1280	1552	VoicemeeterSetup.exe	36
PID 1552 wrote to memory of 1280	1552	VoicemeeterSetup.exe	36
PID 1280 wrote to memory of 2004	1280	iexplore.exe	38
PID 1280 wrote to memory of 2004	1280	iexplore.exe	38
PID 1280 wrote to memory of 2004	1280	iexplore.exe	38
PID 1280 wrote to memory of 2004	1280	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\VoicemeeterSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemeeterSetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe
  -h -i -H -n
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe
  -fC:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Loads dropped DLL
  - Modifies registry class
  PID:1680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.vb-audio.com/Voicemeeter/ThankYou.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2004

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2604b5d5-2de8-182a-e758-d63c4c730059}\vbvmvaio64_win7.inf" "9" "6d2b90767" "00000000000004A0" "WinSta0\Default" "0000000000000494" "208" "c:\program files (x86)\vb\voicemeeter"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5117fa4c-81dc-5d95-eaa4-49204c50294b} Global\{0d10bcb3-a89b-0af9-fb88-be76c5f9a707} C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbvmvaio64_win7.inf C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbaudio_vmvaio64_win7.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000005C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "vbvmvaio64_win7.inf:VBCable.NTamd64:VBCableInst:2.1.5.2:vbaudiovmvaio" "6d2b90767" "00000000000004A0" "00000000000003A4" "00000000000005C4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_ControlPanel.exe

Filesize
855KB

MD5
db995a95c85c9f0eb9f0a45de6294ff9

SHA1
b5ed04c7267f31582a890a4b92333488cd38db89

SHA256
a22006c8d6768499623f0c5cb3aa64e7bc3457a2705bd891f2679def4835c0bd

SHA512
82162a7c642077e3b7041e5bfd8275ff8dcb377e13cbb123604ea5beb1fd5298fc31473066ca4826324b0639ca3b42ba12e481d470c0152a6ef0d2b7497959c4

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe

Filesize
893KB

MD5
9e5a52d2752d970f0f94f44316124d49

SHA1
9667e2a47d7e21f7ec598ad742af79fa5bead92d

SHA256
54ad522330cd83b382aa3400d38f2d910c1aa5dadb2994c4f56faaee5e187033

SHA512
4e6cffe70f28025f7a3cac582c6dbb3978d96b3551ed6f2d2d2f00bb8cd4161c7ed83e4aa4f8b2562930f1e01e486d5dddbc47df6422702d7672bb38b36d3bb2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe

Filesize
893KB

MD5
9e5a52d2752d970f0f94f44316124d49

SHA1
9667e2a47d7e21f7ec598ad742af79fa5bead92d

SHA256
54ad522330cd83b382aa3400d38f2d910c1aa5dadb2994c4f56faaee5e187033

SHA512
4e6cffe70f28025f7a3cac582c6dbb3978d96b3551ed6f2d2d2f00bb8cd4161c7ed83e4aa4f8b2562930f1e01e486d5dddbc47df6422702d7672bb38b36d3bb2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win7.inf

Filesize
4KB

MD5
e51ee4b581e96ea11c75ea8285af2ecb

SHA1
8344be38ce07b9d32ab7ee2cda7eb273ccf5423b

SHA256
db909998412e1a6aad8d9723b98a42aa0b1d1ecddf3264adab7d7885a32f9850

SHA512
e1bf3eba626cf6d2b5bc79978302bbcea1501fa046ecc77134ea61326d01a58b5be462cc24e23d163c9a6eb068acc5d6520b18a83e78603929f55384a2786e33

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe

Filesize
47KB

MD5
a8442fae07f1a7edca6fa2e0e94c2059

SHA1
d30851d5e11d9e87bb99ab4ecfaec2099b7e1156

SHA256
f2b62bef11048c74a7d1b2cd8e217738b3a7d627de6d001b298f034116626e6b

SHA512
ca0de0d6e28864f84dd09ea38846eef0920a8cd63dcb950e9cffb9c0be057b0aa9cb59f209fe8181962c605924d2e77c837e2b3ed45fe700edd24a3cf66e5ac2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll

Filesize
115KB

MD5
393835824c73d0b3b0956934c3f6595f

SHA1
6172ac7ee0b79048f08423c2807e810bcb247b19

SHA256
1bf7dff5ee0bbec272282896b7024759b6123f105a9780059a44588d06201f6b

SHA512
6f0436f32084b51e7999616e3016f67a1dd9d7bd60a944ad46acd1875403165bc78bd51ac6c6a79a96c9cd64073d4dd96c8e9b7ece4b8f92e77571ac92a37433

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2604B~1\vbaudio_vmvaio64_win7.sys

Filesize
62KB

MD5
bd6894a475a07b9ccb8dc9adfbc043f9

SHA1
c4e52f27176c93657930c07c502764622702228a

SHA256
b55594cd84bd31127eda84f59fc918d2e616219a0b6949edf367e1db56ff9b62

SHA512
d791b7b74f7f1f478b54695f137dcb9abc9eb0ea6d9654fd9de61ecee5da198d2a454c8133cbafbddc6de44907918eeeb1eeb452c5d7db7b7c9393eede93b2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2604b5d5-2de8-182a-e758-d63c4c730059}\vbaudio_vmvaio64_win7.cat

Filesize
9KB

MD5
192fd4309ea9d16efccbf608e9550496

SHA1
19f76512b6b7440c20cb1a1639ddfbc0d2e02c50

SHA256
1feb6748c10d8babbd90338374380430ae5f6ab2f25fc07dcdd16ed5b451076d

SHA512
4bc23dc9d0a502ab05260743e845d4f2143e89c12c3288225b291ddb12d0d9cbc4801e2101c4980b2a6b8f925ae1e2441aff0036bffd5c282423decc1cb60a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2604b5d5-2de8-182a-e758-d63c4c730059}\vbvmvaio64_win7.inf

Filesize
4KB

MD5
e51ee4b581e96ea11c75ea8285af2ecb

SHA1
8344be38ce07b9d32ab7ee2cda7eb273ccf5423b

SHA256
db909998412e1a6aad8d9723b98a42aa0b1d1ecddf3264adab7d7885a32f9850

SHA512
e1bf3eba626cf6d2b5bc79978302bbcea1501fa046ecc77134ea61326d01a58b5be462cc24e23d163c9a6eb068acc5d6520b18a83e78603929f55384a2786e33

Download Submit
C:\Windows\INF\oem2.inf

Filesize
4KB

MD5
e51ee4b581e96ea11c75ea8285af2ecb

SHA1
8344be38ce07b9d32ab7ee2cda7eb273ccf5423b

SHA256
db909998412e1a6aad8d9723b98a42aa0b1d1ecddf3264adab7d7885a32f9850

SHA512
e1bf3eba626cf6d2b5bc79978302bbcea1501fa046ecc77134ea61326d01a58b5be462cc24e23d163c9a6eb068acc5d6520b18a83e78603929f55384a2786e33

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\VBVMVA~1.INF\vbaudio_vmvaio64_win7.sys

Filesize
62KB

MD5
bd6894a475a07b9ccb8dc9adfbc043f9

SHA1
c4e52f27176c93657930c07c502764622702228a

SHA256
b55594cd84bd31127eda84f59fc918d2e616219a0b6949edf367e1db56ff9b62

SHA512
d791b7b74f7f1f478b54695f137dcb9abc9eb0ea6d9654fd9de61ecee5da198d2a454c8133cbafbddc6de44907918eeeb1eeb452c5d7db7b7c9393eede93b2b8

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vbvmvaio64_win7.inf_amd64_neutral_e5670da91b77c9f8\vbvmvaio64_win7.PNF

Filesize
13KB

MD5
1051eec0539a4de89a768a758740c7b9

SHA1
4d670b938139df9b89802ac4e881f85723f3ed29

SHA256
ea737264dbaed7db9f4c544049bd237167b1cc687fbf220aff5b3c0c953a0e52

SHA512
d0b281690c242667ecd68435576c6f0fa9a0fe138f9f2b9c4306bc93129d571cd802cc617ec4b0f2316f30d21691bf13b6e22510bbfd45ee930b037189fb4bd5

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
e1babdf090a0d5f1d64a5a9ac34a94ca

SHA1
7d490206a4fd69f86c41f95022dfa3628259b486

SHA256
1804943d5824534970a36a5e1c83d9daeeee46ec9e3ce79ebd3bfb500dd56d65

SHA512
5c7fd74725ebf00eb1cfa8b7f08c140c37cc9b90a3a1079a2895577e934e47b47051563805555f4b1eb56f7b8e38c41751f6d928fa7b55cffff4b86ae90a7999

Download Submit
C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbaudio_vmvaio64_win7.cat

Filesize
9KB

MD5
192fd4309ea9d16efccbf608e9550496

SHA1
19f76512b6b7440c20cb1a1639ddfbc0d2e02c50

SHA256
1feb6748c10d8babbd90338374380430ae5f6ab2f25fc07dcdd16ed5b451076d

SHA512
4bc23dc9d0a502ab05260743e845d4f2143e89c12c3288225b291ddb12d0d9cbc4801e2101c4980b2a6b8f925ae1e2441aff0036bffd5c282423decc1cb60a29

Download Submit
C:\Windows\System32\DriverStore\Temp\{59562a7c-e1eb-3197-8bf7-bc27d10c5f5b}\vbvmvaio64_win7.inf

Filesize
4KB

MD5
e51ee4b581e96ea11c75ea8285af2ecb

SHA1
8344be38ce07b9d32ab7ee2cda7eb273ccf5423b

SHA256
db909998412e1a6aad8d9723b98a42aa0b1d1ecddf3264adab7d7885a32f9850

SHA512
e1bf3eba626cf6d2b5bc79978302bbcea1501fa046ecc77134ea61326d01a58b5be462cc24e23d163c9a6eb068acc5d6520b18a83e78603929f55384a2786e33

Download Submit
\??\c:\PROGRA~2\vb\VOICEM~1\VB2A72~1.SYS

Filesize
62KB

MD5
bd6894a475a07b9ccb8dc9adfbc043f9

SHA1
c4e52f27176c93657930c07c502764622702228a

SHA256
b55594cd84bd31127eda84f59fc918d2e616219a0b6949edf367e1db56ff9b62

SHA512
d791b7b74f7f1f478b54695f137dcb9abc9eb0ea6d9654fd9de61ecee5da198d2a454c8133cbafbddc6de44907918eeeb1eeb452c5d7db7b7c9393eede93b2b8

Download Submit
\??\c:\program files (x86)\vb\voicemeeter\vbaudio_vmvaio64_win7.cat

Filesize
9KB

MD5
192fd4309ea9d16efccbf608e9550496

SHA1
19f76512b6b7440c20cb1a1639ddfbc0d2e02c50

SHA256
1feb6748c10d8babbd90338374380430ae5f6ab2f25fc07dcdd16ed5b451076d

SHA512
4bc23dc9d0a502ab05260743e845d4f2143e89c12c3288225b291ddb12d0d9cbc4801e2101c4980b2a6b8f925ae1e2441aff0036bffd5c282423decc1cb60a29

Download Submit
\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe

Filesize
316KB

MD5
0f2edb805655391038c027f2c2670f4f

SHA1
d238ef040ea8a612318a1a9257277c212b3f134d

SHA256
1538ff5e30b55bcbb4bf7746cd08acbe058e0034fb8112d672ccc5e1394b7b94

SHA512
45cf321b3495a80f530e2619c026033ac0b70f4148ead67972b69ce0683f1117f948339d46c62e8410512a2cad176316f5f8564d83cf053d19d1241697479244

Download Submit
\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe

Filesize
316KB

MD5
0f2edb805655391038c027f2c2670f4f

SHA1
d238ef040ea8a612318a1a9257277c212b3f134d

SHA256
1538ff5e30b55bcbb4bf7746cd08acbe058e0034fb8112d672ccc5e1394b7b94

SHA512
45cf321b3495a80f530e2619c026033ac0b70f4148ead67972b69ce0683f1117f948339d46c62e8410512a2cad176316f5f8564d83cf053d19d1241697479244

Download Submit
\Program Files (x86)\VB\Voicemeeter\VBCABLE_ControlPanel.exe

Filesize
855KB

MD5
db995a95c85c9f0eb9f0a45de6294ff9

SHA1
b5ed04c7267f31582a890a4b92333488cd38db89

SHA256
a22006c8d6768499623f0c5cb3aa64e7bc3457a2705bd891f2679def4835c0bd

SHA512
82162a7c642077e3b7041e5bfd8275ff8dcb377e13cbb123604ea5beb1fd5298fc31473066ca4826324b0639ca3b42ba12e481d470c0152a6ef0d2b7497959c4

Download Submit
\Program Files (x86)\VB\Voicemeeter\VBCABLE_ControlPanel.exe

Filesize
855KB

MD5
db995a95c85c9f0eb9f0a45de6294ff9

SHA1
b5ed04c7267f31582a890a4b92333488cd38db89

SHA256
a22006c8d6768499623f0c5cb3aa64e7bc3457a2705bd891f2679def4835c0bd

SHA512
82162a7c642077e3b7041e5bfd8275ff8dcb377e13cbb123604ea5beb1fd5298fc31473066ca4826324b0639ca3b42ba12e481d470c0152a6ef0d2b7497959c4

Download Submit
\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe

Filesize
893KB

MD5
9e5a52d2752d970f0f94f44316124d49

SHA1
9667e2a47d7e21f7ec598ad742af79fa5bead92d

SHA256
54ad522330cd83b382aa3400d38f2d910c1aa5dadb2994c4f56faaee5e187033

SHA512
4e6cffe70f28025f7a3cac582c6dbb3978d96b3551ed6f2d2d2f00bb8cd4161c7ed83e4aa4f8b2562930f1e01e486d5dddbc47df6422702d7672bb38b36d3bb2

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe

Filesize
526KB

MD5
428f5d6c1ad8a8cc1ccb07b7de7b5836

SHA1
250252a7211ad9a4e5efc00f642197959751bdf6

SHA256
54910065ce0530097d6c8cc1463fd208e4ced199868081528a3e4bc8f39d15b9

SHA512
6d86d8db5e948892b16a21ad89df0939aa1bf85eb50322d0d7728724948ce5cf51c01cf4618b4a1ddbd792b00adcf5969a14ed96ee66c366955cf841cc59dbcd

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe

Filesize
526KB

MD5
428f5d6c1ad8a8cc1ccb07b7de7b5836

SHA1
250252a7211ad9a4e5efc00f642197959751bdf6

SHA256
54910065ce0530097d6c8cc1463fd208e4ced199868081528a3e4bc8f39d15b9

SHA512
6d86d8db5e948892b16a21ad89df0939aa1bf85eb50322d0d7728724948ce5cf51c01cf4618b4a1ddbd792b00adcf5969a14ed96ee66c366955cf841cc59dbcd

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe

Filesize
157KB

MD5
8f90b3cf9ae14522043edba0fe02d034

SHA1
d697d5b8c2130a5c99ab3ee043769a99c44410c5

SHA256
5e26c31db77526c7c76cd88117993772331883e6ab668601727ce10a7e418e8f

SHA512
c90b81fd1c6bd8c07eba3f36432c42fabf013272dda7a359b6cdef0f663541083b9f6758a55b1b62eae24d3cd8fc8ac38af43caf188b3838c98da204e117b51a

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe

Filesize
157KB

MD5
8f90b3cf9ae14522043edba0fe02d034

SHA1
d697d5b8c2130a5c99ab3ee043769a99c44410c5

SHA256
5e26c31db77526c7c76cd88117993772331883e6ab668601727ce10a7e418e8f

SHA512
c90b81fd1c6bd8c07eba3f36432c42fabf013272dda7a359b6cdef0f663541083b9f6758a55b1b62eae24d3cd8fc8ac38af43caf188b3838c98da204e117b51a

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe

Filesize
1.3MB

MD5
01fb6fced185a8286298f537799c5280

SHA1
3a3ffa1f13dde0cd15200d8701f3336ed67eac3f

SHA256
b1ab560bc5982545aa66b188872053326ac2ad0e739f7eb86336a86a847fef4d

SHA512
ffdf168cc6d93d446dc19b914fe7075fbce81c91cc6c0637a7e34042b1f9d001eaf32afa1dc83a94d09e735c72298b61fe3de1dece182e545ad400de0ea85ce9

Download Submit
\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe

Filesize
1.3MB

MD5
01fb6fced185a8286298f537799c5280

SHA1
3a3ffa1f13dde0cd15200d8701f3336ed67eac3f

SHA256
b1ab560bc5982545aa66b188872053326ac2ad0e739f7eb86336a86a847fef4d

SHA512
ffdf168cc6d93d446dc19b914fe7075fbce81c91cc6c0637a7e34042b1f9d001eaf32afa1dc83a94d09e735c72298b61fe3de1dece182e545ad400de0ea85ce9

Download Submit
\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe

Filesize
47KB

MD5
a8442fae07f1a7edca6fa2e0e94c2059

SHA1
d30851d5e11d9e87bb99ab4ecfaec2099b7e1156

SHA256
f2b62bef11048c74a7d1b2cd8e217738b3a7d627de6d001b298f034116626e6b

SHA512
ca0de0d6e28864f84dd09ea38846eef0920a8cd63dcb950e9cffb9c0be057b0aa9cb59f209fe8181962c605924d2e77c837e2b3ed45fe700edd24a3cf66e5ac2

Download Submit
\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver.dll

Filesize
96KB

MD5
da2544c03a5779ff141e25f92b1a2095

SHA1
f9a901f25b583c29fa3df6002857e12919ca4b23

SHA256
818734c67b48b2836b955d9a78feaafc9cdf84bb7b6367474d12ae86d5d4585c

SHA512
878fb49fe6dd4b5c378412b8302dbbbcf54e66b1bb8fad39fa05c9e45b75cab0e985e1a5959df38c4e3230dee61d203ddb8d1f0af4b4cd2f9d6d1ceeb51f0a0e

Download Submit
\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll

Filesize
115KB

MD5
393835824c73d0b3b0956934c3f6595f

SHA1
6172ac7ee0b79048f08423c2807e810bcb247b19

SHA256
1bf7dff5ee0bbec272282896b7024759b6123f105a9780059a44588d06201f6b

SHA512
6f0436f32084b51e7999616e3016f67a1dd9d7bd60a944ad46acd1875403165bc78bd51ac6c6a79a96c9cd64073d4dd96c8e9b7ece4b8f92e77571ac92a37433

Download Submit
\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe

Filesize
5.6MB

MD5
30b6003c3fe191354acaf52c54a1058c

SHA1
fa5a61c707294fc9aa68f631fe5f6b5a5ecd1e92

SHA256
bd53a918b015d8faa3a40ec4f292784d725f9a458cedcb2ee387784f29247ede

SHA512
7f486e178e37a059d09b91d567f8d757cb581a13d1ce63b3b16ee7fb76eb07af432e83bd5967a273964276f766d9397a5cac7124195ae948989923b1d283b01d

Download Submit
\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe

Filesize
5.6MB

MD5
30b6003c3fe191354acaf52c54a1058c

SHA1
fa5a61c707294fc9aa68f631fe5f6b5a5ecd1e92

SHA256
bd53a918b015d8faa3a40ec4f292784d725f9a458cedcb2ee387784f29247ede

SHA512
7f486e178e37a059d09b91d567f8d757cb581a13d1ce63b3b16ee7fb76eb07af432e83bd5967a273964276f766d9397a5cac7124195ae948989923b1d283b01d

Download Submit
memory/1400-65-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1552-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads