7d32e51937a3733b82a26515db805f698e70c59cda391ddda01411bc9891f490

Analysis

max time kernel
34s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

voicemeetersetup.exe
Size

23.0MB
MD5

498b965e8cb309fcd76095905c37dc2b
SHA1

18ef98f027a355503045f599d36e1f6da5d5a12d
SHA256

7d32e51937a3733b82a26515db805f698e70c59cda391ddda01411bc9891f490
SHA512

6f937a9a987308d9bec4431858df594bbda0334b6e3d83158febac63fed7823ec585a1ae22b64ae3295bd2f557b0b81549615c5e85f1219aa2600f18d6694d94
SSDEEP

393216:d4lDeyK3pMYU/zvex9SaRw/WRLq3jreWKC6tBwvsMiSirhk1ufkNlQoTJRyCrTde:d4lDeyK3pMYU/zvwSaRwWA35z6tBwvXQ

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F53.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\vbvoicemeetervaio64_win10.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\vbvoicemeetervaio64_win10.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F52.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F54.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.PNF	VBVoicemeeterVAIO_Setup_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F53.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\vbvoicemeetervaio64_win10.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F54.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0025f6ec-b256-c44f-be1d-1b3b66249d61}\SET7F52.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VB\Voicemeeter\vbusbgpi_uart.inf	voicemeetersetup.exe
File opened for modification	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_Setup_x64.exe	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win7.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeter_x64.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver.dll	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAudioLogoWhite_72x72.png	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_xp.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_2003.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VMStreamerView.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterRemote.dll	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\button_72x72.png	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win10.inf	voicemeetersetup.exe
File opened for modification	C:\Program Files (x86)\VB\Voicemeeter\voicemeetersetup.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBDeviceCheck.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_ControlPanel.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_vista.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe	voicemeetersetup.exe
File created	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_Setup_x64.exe	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_xp.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win10.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbusbgpi_uart_xp_vista.inf	voicemeetersetup.exe
File created	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_ControlPanel.exe	VBVoicemeeterVAIO_Setup_x64.exe
File opened for modification	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_ControlPanel.exe	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win7.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\MacroButton_72x72.png	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterLogo_72x72.png	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_ControlPanel.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_vista.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_vista.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeetersetup.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_Setup_x64.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAudioLogoBlack_72x72.png	voicemeetersetup.exe
File created	C:\Program Files\VB\VBVoicemeeterVAIOs\vbvoicemeetervaio64_win10.inf	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_2003.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\Voicemeeter_Help.xml	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_win10.inf	voicemeetersetup.exe
File opened for modification	C:\Program Files\VB\VBVoicemeeterVAIOs\vbvoicemeetervaio64_win10.inf	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_vista.cat	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win7.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_win7.inf	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\readme.txt	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_xp.sys	voicemeetersetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_win10.cat	voicemeetersetup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	VBVoicemeeterVAIO_Setup_x64.exe

Executes dropped EXE 2 IoCs

pid	Process
1596	VBVoicemeeterVAIO_Setup_x64.exe
1892	vbregsvr64.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	voicemeetersetup.exe
1892	vbregsvr64.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	voicemeetersetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	voicemeetersetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	voicemeetersetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	voicemeetersetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	voicemeetersetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	voicemeetersetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver.dll"	voicemeetersetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	voicemeetersetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	voicemeetersetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	voicemeetersetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	voicemeetersetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAuditPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe
Token: SeLoadDriverPrivilege	1596	VBVoicemeeterVAIO_Setup_x64.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeBackupPrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeBackupPrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2436	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1596	1204	voicemeetersetup.exe	80
PID 1204 wrote to memory of 1596	1204	voicemeetersetup.exe	80
PID 3876 wrote to memory of 4692	3876	svchost.exe	82
PID 3876 wrote to memory of 4692	3876	svchost.exe	82
PID 3876 wrote to memory of 872	3876	svchost.exe	83
PID 3876 wrote to memory of 872	3876	svchost.exe	83
PID 1204 wrote to memory of 1892	1204	voicemeetersetup.exe	85
PID 1204 wrote to memory of 1892	1204	voicemeetersetup.exe	85
PID 1204 wrote to memory of 2788	1204	voicemeetersetup.exe	87
PID 1204 wrote to memory of 2788	1204	voicemeetersetup.exe	87
PID 2788 wrote to memory of 4824	2788	msedge.exe	88
PID 2788 wrote to memory of 4824	2788	msedge.exe	88
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 1244	2788	msedge.exe	89
PID 2788 wrote to memory of 4308	2788	msedge.exe	90
PID 2788 wrote to memory of 4308	2788	msedge.exe	90
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91
PID 2788 wrote to memory of 2220	2788	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\voicemeetersetup.exe
"C:\Users\Admin\AppData\Local\Temp\voicemeetersetup.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_Setup_x64.exe
  -h -i -H -n
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe
  -fC:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.vb-audio.com/Voicemeeter/ThankYou.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffcbf73cb8,0x7fffcbf73cc8,0x7fffcbf73cd8
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,5653956121050101408,6892950082567668654,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,5653956121050101408,6892950082567668654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,5653956121050101408,6892950082567668654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,5653956121050101408,6892950082567668654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:4284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,5653956121050101408,6892950082567668654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{23280fc9-f6f8-cd47-a1ff-c7d90bc4c052}\vbvoicemeetervaio64_win10.inf" "9" "43914f2f7" "0000000000000154" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\vb\voicemeeter"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4692
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce8840c48fa1f:VBCableInst:15.24.8.620:vbvoicemeetervaio," "43914f2f7" "0000000000000154" "5548"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe

Filesize
320KB

MD5
0c2cf9740d7e27330a1105d7376364d1

SHA1
52c15fcad864d5fab096ceb2d911796c40d5248c

SHA256
baf390d96ba8f0100af74007a52481bd3825949faf4bcbc259fe47492994d87b

SHA512
74cbbb435c30b17d547ed18a24cce27e560c87ff31a39f6f2c94de070c492e3bb1fa2b86cb30133ad0af272b283658dd42b86f52850f524aa2133868e95a9a22

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_ControlPanel.exe

Filesize
910KB

MD5
6846585cc3d1eb6a0e4cf68e263da266

SHA1
0bddcd4008a16a03e304ab11031a7edfffe09add

SHA256
721702fb9ebf73244d2b4cd3070ab48fa790547c45826445100edd8989e78d67

SHA512
3d2c1c3d96ab9cc6c430619e46719819b5e7bd0ce5b4797b79fac412b9a3282b1f1ce021264e82671f5e70baeeecda09804c46e463d8578a079cf3c6509cf4d9

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_Setup_x64.exe

Filesize
900KB

MD5
f2add656a75cd81abf4a8980634e92a1

SHA1
e4d53b74d1a1abf41130c350490770226790e920

SHA256
28c6409a5ccebb1f83dc25660d800f95c22ca5eff05978f4e3bc780a50d37b61

SHA512
d9925bdd348a97609a7a167ee1931bf875e3152904c4f447d8c2000af450e26e4433cea4485eded9c38f70b24d2f6a93c21308a9d6546b25e4ddd064190025ee

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VMStreamerView.exe

Filesize
116KB

MD5
e0a5d9d991436c9ac797cb86c9140f12

SHA1
00c4a6f37ecea86bf9e921bdc4328d5700e051da

SHA256
c1d7a37cf33bc1d0096df4aba6895232df8fa63e8adafee96fb4f748a09301d8

SHA512
f7a89d9ff6f985d77aa3f6f79a72b0b56aa8bbc6d2d7c8f73c49918966c0eaf5cc9b0a92c1775bdf3ad17d50d0ded1c6ba327395648517e9b787eeff5108bf3a

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe

Filesize
526KB

MD5
428f5d6c1ad8a8cc1ccb07b7de7b5836

SHA1
250252a7211ad9a4e5efc00f642197959751bdf6

SHA256
54910065ce0530097d6c8cc1463fd208e4ced199868081528a3e4bc8f39d15b9

SHA512
6d86d8db5e948892b16a21ad89df0939aa1bf85eb50322d0d7728724948ce5cf51c01cf4618b4a1ddbd792b00adcf5969a14ed96ee66c366955cf841cc59dbcd

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe

Filesize
157KB

MD5
8f90b3cf9ae14522043edba0fe02d034

SHA1
d697d5b8c2130a5c99ab3ee043769a99c44410c5

SHA256
5e26c31db77526c7c76cd88117993772331883e6ab668601727ce10a7e418e8f

SHA512
c90b81fd1c6bd8c07eba3f36432c42fabf013272dda7a359b6cdef0f663541083b9f6758a55b1b62eae24d3cd8fc8ac38af43caf188b3838c98da204e117b51a

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe

Filesize
1.3MB

MD5
0fe23715c8649ec35ed52cba9b03632c

SHA1
dfc797edee82a6e5074a2164041259f1d0f7ab7b

SHA256
ebcc01ee1c87b3f8d237a462180eb1235f597e20dca76d79448dc4fb2834b10f

SHA512
461293aa9087516cdb5770ac8342192badb2be8ae57d8aad48988a81ce57790fefa1b505cbd96c4942883433404bd4a01d2cec756d2a1fbdffbf69a27800d07d

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe

Filesize
47KB

MD5
a8442fae07f1a7edca6fa2e0e94c2059

SHA1
d30851d5e11d9e87bb99ab4ecfaec2099b7e1156

SHA256
f2b62bef11048c74a7d1b2cd8e217738b3a7d627de6d001b298f034116626e6b

SHA512
ca0de0d6e28864f84dd09ea38846eef0920a8cd63dcb950e9cffb9c0be057b0aa9cb59f209fe8181962c605924d2e77c837e2b3ed45fe700edd24a3cf66e5ac2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver.dll

Filesize
104KB

MD5
a892e96083fc604983440f94fd6cc591

SHA1
68ea2da5591b9607074796ff5df8c0dd26ee311b

SHA256
f29948019d4c4eb07b9a0ce5fef7cffb877617b1959fb5c90f52890be541eb64

SHA512
92a9d802cce5552dd076a99d0162ed2db555e815daac1aa71164fea90ce145908983486d67dc7512e2b5dae16de2e28b4aa96693b33a1c290b9666fe8abb35d9

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll

Filesize
122KB

MD5
fc454e758b637695f756bff5efce6117

SHA1
33ee4d6bf58ad222b46366792e343563b7385f1d

SHA256
f8d17fb939f6cf7f2a4ea42ad1925bd67ec51c88e43dbbf4c4296aa4499b80a0

SHA512
6104e0648a6a6c0cbf6abbe7043a8124c201a54505d8cac62493403d7cc5c59cd59d8d423bcdf0acfd48ef68dd818a662ab0eabb0f2e0ff88cebfa45b0f3ebd0

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.inf

Filesize
25KB

MD5
0e85af48ba3f47e3b9dfba7313a86df4

SHA1
eb3d8d1f889916e6f760cf838242945b9ec79c75

SHA256
6125d25e93794e8fc993d68a5196b905f9b70e5f194cf5358591203e34bf7ce1

SHA512
8a846085be46557bb57cf735442a7745b0aab745ed86828648765593b5b49f29464163de0e819dcae250b82da46c1b9b59f773c2ef86d2ac01ae3026e94bbcc7

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe

Filesize
6.6MB

MD5
81c95a9e7ce02f9652c7335c350236a0

SHA1
669612d1f0a50f86df2d460f737a44bea0dc975e

SHA256
e6a17c6a21f87a712fe7dd343a81f8d9b389cbb46bc3850097197de673bbc4e2

SHA512
8258dd14a66ec9d6414ab54be19d8734f2dfd35be17f85b7fd26fd4fc5554b836a079ea6922171d3e410cec645ec07c056c9842aae1898c637b2dd9a19c04a80

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeter_x64.exe

Filesize
6.7MB

MD5
3e167defcbe9309e7fc460b711d77b38

SHA1
007987f9903b9b1b1dae8ab50150d2a2ee6fa523

SHA256
675c5484b5131d3425b7d41440b875f8978d841daf8193727813068510c4f94b

SHA512
188b968a315a12ac7f6d0efd9069e73f080100382d63e499fe757409582d8bc69ab5bc4266983add56050b4faae1d3ff167a001e3d90e06ef9d8804c16771588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8294f1821fd3419c0a42b389d19ecfc6

SHA1
cd4982751377c2904a1d3c58e801fa013ea27533

SHA256
92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a

SHA512
372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
390187670cb1e0eb022f4f7735263e82

SHA1
ea1401ccf6bf54e688a0dc9e6946eae7353b26f1

SHA256
3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947

SHA512
602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f2e103b71f6cb143ffc03f110f971e06

SHA1
9c1cb89a28ff90b552b3198a33e63f893d0fe990

SHA256
911cf6be44b4d28c9e74cbe9c1125300ac87d8c2980cc8108e9395b58d3baca0

SHA512
0b94afa32f0d80a6650948d9f511831c4206e37b16c8d6778fd1c24b98681e421a04c61e0c6ac50041ce3c2373516334eb24550e1a043c0297056efa9c02d6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
70e223b38488fc3ec95e675f57b895a3

SHA1
ca655da8710983d2e043b87a188f4066111a52c6

SHA256
31010dd8582989916a7559b4bf9d0e76f6f53db0dea9ae924cd80686f96f91cc

SHA512
652d3bb74976dbfb7c32ad33510d902ad8eb0c727e13b8aaeb28be4189d821fe148a9994eb5b988d4a44861ea870a5562d27529926a65dca6053878054bef47b

Download Submit
\??\c:\PROGRA~2\vb\VOICEM~1\VBVOIC~1.SYS

Filesize
289KB

MD5
a18ec39d760706247981266e4f3018ad

SHA1
39dca47f7905e684826c32bc5e98d977b508f906

SHA256
a01a4a567abf278d300626f19f14518715375d912c30d613ea6f41e91bd2dd14

SHA512
81eeb22accbc82acdabcd3dd036e3c3f7181874387fbfabee90d40e0785be98dd49c4d13f8a0500b71abc0a02d7622ab4f2da5f34338476faa2116edcf5d9ce7

Download Submit
\??\c:\program files (x86)\vb\voicemeeter\vbvoicemeetervaio64_win10.cat

Filesize
11KB

MD5
1e9e3e47ea88f9bfccc7fb142cdb9cbd

SHA1
51372978bcc339edc7ac2854ff14c4bea02afaf2

SHA256
dddd2b4fdb8653821efb775b41e2c696e4cf93a23564fd199a6dbea4147cff83

SHA512
a8287fcc300b5a69411a824f075741f47cc120220706280cbebacfc56132e5a2e9a4eb4ad217c9c6505e48057eadfa9d3fca83fda453364b952e7d49ec8cdf3f

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads