88aadf26c5a6ef8b874d4c0e7ac5250aed2ab2491ee3f3ab0de850cd151f9f5b

Analysis

max time kernel
29s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vocaloid4_4.2.1_setup.exe
Size

49.9MB
MD5

9fa0daa963c93a185fcd38056f1697cf
SHA1

a7eb2b5144f09020e0a526394f52fc20133f4c1f
SHA256

88aadf26c5a6ef8b874d4c0e7ac5250aed2ab2491ee3f3ab0de850cd151f9f5b
SHA512

3e6b8c4581c58c12e71733571186bcc6f0ec078f75d9b5d0b52a69996765b1f6e772f17e0d86052b844953200c7d44fe87567a66aa12bbeb5df364177fe83db7
SSDEEP

786432:THq33j8RcOkoGNrRjJnlF40K+mRLiuRcRWOFZ3N/rSckcVdg+Dp7ZcFz+t:rq3T8iboGNVjJn76rcJVbVLFust

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\isgsg.dll	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Program Files (x86)\Vocaloid4FE\VOCALOID4.exe	aspack_v212_v242
\Program Files (x86)\Vocaloid4FE\VOCALOID4.exe	aspack_v212_v242

Executes dropped EXE 5 IoCs

Processes:

vocaloid4_4.2.1_setup.tmpvcredist_x86_2008.exeinstall.exevcredist_x86.exevcredist_x86.exe

pid process

1728 vocaloid4_4.2.1_setup.tmp
1016 vcredist_x86_2008.exe
1752 install.exe
1324 vcredist_x86.exe
1708 vcredist_x86.exe

pid	process
1728	vocaloid4_4.2.1_setup.tmp
1016	vcredist_x86_2008.exe
1752	install.exe
1324	vcredist_x86.exe
1708	vcredist_x86.exe

Loads dropped DLL 15 IoCs

Processes:

vocaloid4_4.2.1_setup.exevocaloid4_4.2.1_setup.tmpvcredist_x86_2008.exeinstall.exevcredist_x86.exevcredist_x86.exe

pid	process
1260	vocaloid4_4.2.1_setup.exe
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1016	vcredist_x86_2008.exe
1752	install.exe
1728	vocaloid4_4.2.1_setup.tmp
1324	vcredist_x86.exe
1708	vcredist_x86.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\isgsg.dll	upx
behavioral1/memory/1728-71-0x0000000004780000-0x00000000047B1000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

vocaloid4_4.2.1_setup.tmpmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\is-NBB3F.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\language\is-QFG1I.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-BE1J7.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-ABCI7.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\dbm4.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\Android\is-9PLQQ.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin_ToMidi\is-PM6PM.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\socket\is-F838H.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\InputMML_112\is-78H3J.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\iOS\Tegakiloid\Tegakiloid\is-R7N9I.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\expdbdir\vexp1\is-2CI55.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-O13UM.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-U10QU.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\iOS\Tegakiloid\Tegakiloid\is-Q2OL0.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\Vsq4.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-Q645I.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-QKF1I.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-0200U.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\iOS\Tegakiloid\Tegakiloid\is-LMJ8O.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin_ToMidi\is-B29KQ.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\licenses\libxml2\is-0O94M.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\HisK2Lib.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\is-I4DDD.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-2I2P7.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\InputMML_112\is-DCB0M.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\InputMML_112\is-PV3D4.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\VOCALOID_JobPluginSDK_V3_0_1_0\Doc\is-218I6.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	C:\Program Files (x86)\Vocaloid4FE\expdbdir\vexp1\is-S76G7.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-ER5FD.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-1FLCG.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-GPPUC.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\is-Q15OP.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\is-536L8.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\iOS\Tegakiloid\Tegakiloid\is-L1CU0.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\ExportVSQ\GetSaveFileName.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-KKDHC.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-VG0EO.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\Android\Tegakiloid\res\drawable-land\is-U8660.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-KS2VR.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\is-L0RIM.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\is-Q09L9.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\Android\Tegakiloid\is-0A016.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-C6MN0.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-8UORE.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-J3OJL.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-QUPQR.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-FA007.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\Tegakiloid_111\is-LPTD8.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\unins000.dat	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\VstHost4.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\expdbdir\vexp1\is-59AO8.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\VSTPlugins\is-N4289.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-ST1BE.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-G310D.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\VOCALOID_JobPluginSDK_V3_0_1_0\Samples\is-I3K9S.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\licenses\flac\is-9GRKD.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-0F428.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\is-N7NLV.tmp	vocaloid4_4.2.1_setup.tmp
File opened for modification	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\TamasubPlugin\LuaXML_lib.dll	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\VOCALOID_JobPluginSDK_V3_0_1_0\Samples\is-8MT5A.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\InputMML_112\is-64JS1.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\JobPlugins\is-NOH8H.tmp	vocaloid4_4.2.1_setup.tmp
File created	C:\Program Files (x86)\Vocaloid4FE\expdbdir\vexp1\is-7SUTN.tmp	vocaloid4_4.2.1_setup.tmp

Drops file in Windows directory 5 IoCs

Processes:

vcredist_x86.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	vcredist_x86.exe
File created	\??\c:\Windows\Installer\6c57e2.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C06.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\6c57e2.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 33 IoCs

Processes:

vocaloid4_4.2.1_setup.tmpmsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\shell\open\command\ = "\"C:\\Program Files (x86)\\Vocaloid4FE\\VOCALOID4.exe\" \"%1\""	vocaloid4_4.2.1_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e005500410049003f00470048002e007b005d0037006a005a003f0034005d0041006e0062002400420000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e0032005f0072002700710025004a006a004a0034007600780044002800660049004c0067005a00780000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\DefaultIcon	vocaloid4_4.2.1_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0027002a005b0069005b00320062006e004100340070006b0046005d006b004b0057007e005800300000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e00690060003700480050004400240062002400350035007e004a007b00730074007e0029006200780000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsqx	vocaloid4_4.2.1_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e004e002e004b004300300068004d0064007b00340060006d002b00380039004f002e002e003100540000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\VC_RED_enu_x86_net_SETUP	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\shell\open\command	vocaloid4_4.2.1_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\shell	vocaloid4_4.2.1_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx	vocaloid4_4.2.1_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\shell\open	vocaloid4_4.2.1_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList\LastUsedSource = "n;2;c:\\c715240389ce901c2c1fc3d276b90ea0\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006f006f0063007b006200340036003f004500380042006a005f0079005d005d007e004f006f002c0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsqx\ = "VOCALOID4.vsqx"	vocaloid4_4.2.1_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e00550029004600250024002a0025005a00370038002c005d007b002d007400430064004f003700310000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\VC_Redist_12222_x86_enu	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList\Net\2 = "c:\\c715240389ce901c2c1fc3d276b90ea0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID4.vsqx\DefaultIcon\ = "C:\\Program Files (x86)\\Vocaloid4FE\\Icon_001.ico"	vocaloid4_4.2.1_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e004b00520050005200400047006b006e005d0033003d002b004c00380047003600210061002e00490000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e00660074005a003f002800770035002b002e0034002c007e007b0044004700380037002b007800260000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0042005b00240070007200510032006f004d003800720048007b00720067003d00320065006e002e0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vocaloid4_4.2.1_setup.tmpmsiexec.exe

pid process

1728 vocaloid4_4.2.1_setup.tmp
1728 vocaloid4_4.2.1_setup.tmp
1344 msiexec.exe
1344 msiexec.exe

pid	process
1728	vocaloid4_4.2.1_setup.tmp
1728	vocaloid4_4.2.1_setup.tmp
1344	msiexec.exe
1344	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEinstall.exemsiexec.exe

description	pid	process
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: SeShutdownPrivilege	1752	install.exe
Token: SeIncreaseQuotaPrivilege	1752	install.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeSecurityPrivilege	1344	msiexec.exe
Token: SeCreateTokenPrivilege	1752	install.exe
Token: SeAssignPrimaryTokenPrivilege	1752	install.exe
Token: SeLockMemoryPrivilege	1752	install.exe
Token: SeIncreaseQuotaPrivilege	1752	install.exe
Token: SeMachineAccountPrivilege	1752	install.exe
Token: SeTcbPrivilege	1752	install.exe
Token: SeSecurityPrivilege	1752	install.exe
Token: SeTakeOwnershipPrivilege	1752	install.exe
Token: SeLoadDriverPrivilege	1752	install.exe
Token: SeSystemProfilePrivilege	1752	install.exe
Token: SeSystemtimePrivilege	1752	install.exe
Token: SeProfSingleProcessPrivilege	1752	install.exe
Token: SeIncBasePriorityPrivilege	1752	install.exe
Token: SeCreatePagefilePrivilege	1752	install.exe
Token: SeCreatePermanentPrivilege	1752	install.exe
Token: SeBackupPrivilege	1752	install.exe
Token: SeRestorePrivilege	1752	install.exe
Token: SeShutdownPrivilege	1752	install.exe
Token: SeDebugPrivilege	1752	install.exe
Token: SeAuditPrivilege	1752	install.exe
Token: SeSystemEnvironmentPrivilege	1752	install.exe
Token: SeChangeNotifyPrivilege	1752	install.exe
Token: SeRemoteShutdownPrivilege	1752	install.exe
Token: SeUndockPrivilege	1752	install.exe
Token: SeSyncAgentPrivilege	1752	install.exe
Token: SeEnableDelegationPrivilege	1752	install.exe
Token: SeManageVolumePrivilege	1752	install.exe
Token: SeImpersonatePrivilege	1752	install.exe
Token: SeCreateGlobalPrivilege	1752	install.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vocaloid4_4.2.1_setup.tmp

pid process

1728 vocaloid4_4.2.1_setup.tmp

pid	process
1728	vocaloid4_4.2.1_setup.tmp

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

vocaloid4_4.2.1_setup.exevocaloid4_4.2.1_setup.tmpvcredist_x86_2008.exevcredist_x86.exe

description	pid	process	target process
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1260 wrote to memory of 1728	1260	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1728 wrote to memory of 1016	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86_2008.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1016 wrote to memory of 1752	1016	vcredist_x86_2008.exe	install.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1728 wrote to memory of 1324	1728	vocaloid4_4.2.1_setup.tmp	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe
PID 1324 wrote to memory of 1708	1324	vcredist_x86.exe	vcredist_x86.exe

C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe
"C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\is-HQ4G5.tmp\vocaloid4_4.2.1_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HQ4G5.tmp\vocaloid4_4.2.1_setup.tmp" /SL5="$70120,52056677,56832,C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1728

C:\Program Files (x86)\Vocaloid4FE\vcredist_x86_2008.exe
"C:\Program Files (x86)\Vocaloid4FE\vcredist_x86_2008.exe" /q
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016

\??\c:\c715240389ce901c2c1fc3d276b90ea0\install.exe
c:\c715240389ce901c2c1fc3d276b90ea0\.\install.exe /q
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
"C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe" /q
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
"C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe" /q -burn.unelevated BurnPipe.{D605994F-A16F-4CD3-A2F8-4E3F04C94B0B} {5A512504-656D-43AB-A31A-7A7C30E2E754} 1324
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
Filesize
6.3MB

MD5
7f52a19ecaf7db3c163dd164be3e592e

SHA1
96b377a27ac5445328cbaae210fc4f0aaa750d3f

SHA256
b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

SHA512
60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

Download Submit
C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
Filesize
6.3MB

MD5
7f52a19ecaf7db3c163dd164be3e592e

SHA1
96b377a27ac5445328cbaae210fc4f0aaa750d3f

SHA256
b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

SHA512
60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

Download Submit
C:\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
Filesize
6.3MB

MD5
7f52a19ecaf7db3c163dd164be3e592e

SHA1
96b377a27ac5445328cbaae210fc4f0aaa750d3f

SHA256
b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

SHA512
60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

Download Submit
C:\Program Files (x86)\Vocaloid4FE\vcredist_x86_2008.exe
Filesize
4.3MB

MD5
35da2bf2befd998980a495b6f4f55e60

SHA1
470640aa4bb7db8e69196b5edb0010933569e98d

SHA256
6b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6

SHA512
bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2

Download Submit
C:\Program Files (x86)\Vocaloid4FE\vcredist_x86_2008.exe
Filesize
4.3MB

MD5
35da2bf2befd998980a495b6f4f55e60

SHA1
470640aa4bb7db8e69196b5edb0010933569e98d

SHA256
6b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6

SHA512
bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2B80.txt
Filesize
1KB

MD5
fab672e37e0e776f45bafde7ca21d022

SHA1
583fb355c1336ececbbdb948e4427d1999bc2ef3

SHA256
c1ee64a0c8ce9ad5e2e3fcf17fdab9b46c275ac9c2e04ec09b54b41ff2aefce0

SHA512
f5aeeed0eaff8ed41c9f7cffc8ce00356da16ee9de34e445d49236f66ae6d71d5653560091a0c93f79bcacda678ffb6e737768090b90325454c4c533cf1b761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HQ4G5.tmp\vocaloid4_4.2.1_setup.tmp
Filesize
692KB

MD5
9862c8171b748884c7749dd6a67da175

SHA1
0524efae9f5dbdde283d43b9e5e1ccb90f75c2c6

SHA256
5a972731e0bdac7422e0bf6dcee6a5cd763b065bb2a661420e468ac078b1f5b7

SHA512
a0733d42029673ecb07ece32380ec33eeeb38103626ef385afea1d9c09d691e2c8b2101fcc87dbd363eae1fc8990cd7a1956077a7f2d3724e5fee6599372aefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HQ4G5.tmp\vocaloid4_4.2.1_setup.tmp
Filesize
692KB

MD5
9862c8171b748884c7749dd6a67da175

SHA1
0524efae9f5dbdde283d43b9e5e1ccb90f75c2c6

SHA256
5a972731e0bdac7422e0bf6dcee6a5cd763b065bb2a661420e468ac078b1f5b7

SHA512
a0733d42029673ecb07ece32380ec33eeeb38103626ef385afea1d9c09d691e2c8b2101fcc87dbd363eae1fc8990cd7a1956077a7f2d3724e5fee6599372aefc

Download Submit
C:\c715240389ce901c2c1fc3d276b90ea0\install.exe
Filesize
547KB

MD5
4138c31964fbcb3b7418e086933324c3

SHA1
97cc6f58fb064ab6c4a2f02fb665fef77d30532f

SHA256
b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29

SHA512
40cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557

Download Submit
\??\c:\c715240389ce901c2c1fc3d276b90ea0\globdata.ini
Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\c715240389ce901c2c1fc3d276b90ea0\install.ini
Filesize
841B

MD5
f8f6c0e030cb622f065fe47d61da91d7

SHA1
cf6fa99747de8f35c6aea52df234c9c57583baa3

SHA256
c16727881c47a40077dc5a1f1ea71cbb28e3f4e156c0ae7074c6d7f5ecece21d

SHA512
b70c6d67dac5e6a0dbd17e3bcf570a95914482abad20d0304c02da22231070b4bc887720dbae972bc5066457e1273b68fde0805f1c1791e9466a5ca343485cde

Download Submit
\??\c:\c715240389ce901c2c1fc3d276b90ea0\install.res.1033.dll
Filesize
85KB

MD5
ff6003014eefc9c30abe20e3e1f5fbe8

SHA1
4a5bd05f94545f01efc10232385b8fecad300678

SHA256
a522c5ea3250cdd538a9ce7b4a06dfd5123e7eb05eef67509f2b975a8e1d3067

SHA512
3adc5c705bab7fa7b50517a5eb3301491f5150b56e1088ed436590458e963da204cd1875af75db89742403476a56a94c3f425c05327767bdb4bbee4859667ac2

Download Submit
\??\c:\c715240389ce901c2c1fc3d276b90ea0\vc_red.cab
Filesize
3.7MB

MD5
0ee84ab717bc400c5e96c8d9d329fbb0

SHA1
be4ba7bbb068c7256b70f4fd7634eaeb2ad04d0a

SHA256
461d575bc1a07f64c14f1da885d2f310bd282cbbedcd0a5cf8ffa7057411805d

SHA512
4a6b0619f471a51df09fb6c1eff4ed166cdb7ef57f79ffdf709fa952a7c2a176c338084689c8ace1a94024a24579e9ee0ab6d411c25a1b42b0f517c57749d1a2

Download Submit
\??\c:\c715240389ce901c2c1fc3d276b90ea0\vc_red.msi
Filesize
222KB

MD5
7e641e6a0b456271745c20c3bb8a18f9

SHA1
ae6cedcb81dc443611a310140ae4671789dbbf3a

SHA256
34c5e7d7ea270ee67f92d34843d89603d6d3b6d9ef5247b43ae3c59c909d380d

SHA512
f67d6bf69d094edcc93541332f31b326131ff89672edb30fd349def6952ad8bfd07dc2f0ca5967b48a7589eee5b7a14b9a2c1ebe0cba4ae2324f7957090ea903

Download Submit
\Program Files (x86)\Vocaloid4FE\VOCALOID4.exe
Filesize
784KB

MD5
a8e8c89436b46c098c4e05247b6de607

SHA1
b286d1cc60a9c02779219af289882b7b64c68536

SHA256
04cc0a073ca1199253d22f473dd9bf8c76dbacd01d80574fc074b0e3c60534ac

SHA512
97cb49746fd6002a0c3f84e1fb86099c887f6d138c1180f047ba2878426040898dcdf6c8f1de4b9bfe221e5ba69d772843e06ea39d9049ab7d0133268ab8f16a

Download Submit
\Program Files (x86)\Vocaloid4FE\VOCALOID4.exe
Filesize
784KB

MD5
a8e8c89436b46c098c4e05247b6de607

SHA1
b286d1cc60a9c02779219af289882b7b64c68536

SHA256
04cc0a073ca1199253d22f473dd9bf8c76dbacd01d80574fc074b0e3c60534ac

SHA512
97cb49746fd6002a0c3f84e1fb86099c887f6d138c1180f047ba2878426040898dcdf6c8f1de4b9bfe221e5ba69d772843e06ea39d9049ab7d0133268ab8f16a

Download Submit
\Program Files (x86)\Vocaloid4FE\unins000.exe
Filesize
703KB

MD5
19165445358d2a8b9bcf5c07b3f03f99

SHA1
1dd4b7774601487b8c367aabab42d3a8512ede36

SHA256
fb557e2e060110a5ea92adb647da13abcf36f4ec7a9fdd887d51319d483aaad9

SHA512
f82b6f98af3b6099b447364ca8b27098a2b6024210cb6b993844cfd8609e97d13ee4b9e001329fc0ba08e21cdbf3dd51c341a29ea4df0bea9778fadd9120ff51

Download Submit
\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
Filesize
6.3MB

MD5
7f52a19ecaf7db3c163dd164be3e592e

SHA1
96b377a27ac5445328cbaae210fc4f0aaa750d3f

SHA256
b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

SHA512
60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

Download Submit
\Program Files (x86)\Vocaloid4FE\vcredist_x86.exe
Filesize
6.3MB

MD5
7f52a19ecaf7db3c163dd164be3e592e

SHA1
96b377a27ac5445328cbaae210fc4f0aaa750d3f

SHA256
b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386

SHA512
60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

Download Submit
\Program Files (x86)\Vocaloid4FE\vcredist_x86_2008.exe
Filesize
4.3MB

MD5
35da2bf2befd998980a495b6f4f55e60

SHA1
470640aa4bb7db8e69196b5edb0010933569e98d

SHA256
6b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6

SHA512
bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-HQ4G5.tmp\vocaloid4_4.2.1_setup.tmp
Filesize
692KB

MD5
9862c8171b748884c7749dd6a67da175

SHA1
0524efae9f5dbdde283d43b9e5e1ccb90f75c2c6

SHA256
5a972731e0bdac7422e0bf6dcee6a5cd763b065bb2a661420e468ac078b1f5b7

SHA512
a0733d42029673ecb07ece32380ec33eeeb38103626ef385afea1d9c09d691e2c8b2101fcc87dbd363eae1fc8990cd7a1956077a7f2d3724e5fee6599372aefc

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\bass.dll
Filesize
91KB

MD5
26295a0baf87955f2e37735af135ca45

SHA1
97f468d3ebaca4774ce69f6f55c998b93a912540

SHA256
0bd42c13dd0a5c881e80f161f7548b093c4fd99a747c13568af983e2c76cd71a

SHA512
6760c5fe3621b1d9c84a5c974c28d796cfba83dba4ff0e9f9eb0ed19cb47a6fc6a1322f58193eb4d638e214f7e61e9543f6f9235c2be8888bcd075fa7650b20a

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSJ97.tmp\isgsg.dll
Filesize
34KB

MD5
09974eaff6defadde38b1328754dbe09

SHA1
001cfb5514444188e455b97acc369f037079ca9d

SHA256
9eeef28d82fc4db7d1269dfbc0ea282768ce5e2e4e4bdc867d80d6847468dca7

SHA512
da29b01ebebb454c004420c6b29bb8dca9fb50554a7a5db30035a5ec458d766049bf5502f708bf7eb210a4f9cbdb308cc0c8dcdad9f745b01a9e4f1455bbc846

Download Submit
\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll
Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
\c715240389ce901c2c1fc3d276b90ea0\install.exe
Filesize
547KB

MD5
4138c31964fbcb3b7418e086933324c3

SHA1
97cc6f58fb064ab6c4a2f02fb665fef77d30532f

SHA256
b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29

SHA512
40cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557

Download Submit
\c715240389ce901c2c1fc3d276b90ea0\install.res.1033.dll
Filesize
85KB

MD5
ff6003014eefc9c30abe20e3e1f5fbe8

SHA1
4a5bd05f94545f01efc10232385b8fecad300678

SHA256
a522c5ea3250cdd538a9ce7b4a06dfd5123e7eb05eef67509f2b975a8e1d3067

SHA512
3adc5c705bab7fa7b50517a5eb3301491f5150b56e1088ed436590458e963da204cd1875af75db89742403476a56a94c3f425c05327767bdb4bbee4859667ac2

Download Submit
memory/1016-80-0x0000000000000000-mapping.dmp

Download
memory/1260-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1260-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1260-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1324-97-0x0000000000000000-mapping.dmp

Download
memory/1344-93-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1708-102-0x0000000000000000-mapping.dmp

Download
memory/1728-65-0x0000000001E00000-0x0000000001E15000-memory.dmp

Filesize
84KB

Download
memory/1728-67-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/1728-71-0x0000000004780000-0x00000000047B1000-memory.dmp

Filesize
196KB

Download
memory/1728-77-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1728-58-0x0000000000000000-mapping.dmp

Download
memory/1728-72-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

Filesize
8KB

Download
memory/1728-73-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/1728-78-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1752-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads