hxxps://vb-audio[.]com/Voicemeeter/banana[.]htm

Analysis

max time kernel
134s
max time network
137s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/09/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vb-audio.com/Voicemeeter/banana.htm

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
3208	VBVoicemeeterVAIO_Setup_x64.exe
644	vbregsvr64.exe
4928	vbregsvr64.exe
3664	vbregsvr64.exe

Loads dropped DLL 6 IoCs

pid	Process
4804	voicemeeterprosetup.exe
4804	voicemeeterprosetup.exe
4804	voicemeeterprosetup.exe
644	vbregsvr64.exe
4928	vbregsvr64.exe
3664	vbregsvr64.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.PNF	VBVoicemeeterVAIO_Setup_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\vbvoicemeetervaio64_win10.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\vbvoicemeetervaio64_win10.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\vbvoicemeetervaio64_win10.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET65.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbvoicemeetervaio64_win10.inf_amd64_c2bd37de84fa6e4f\vbvoicemeetervaio64_win10.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET54.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET54.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET65.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET75.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5d4a8460-63cd-1449-bfd7-0da7c135a92c}\SET75.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmauxvaio_2003.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvmins_asiodriver64.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio64_win7.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmauxvaio64_vista.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_xp.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_2003.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterRemote64.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_2003.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe	voicemeeterprosetup.exe
File opened for modification	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_ControlPanel.exe	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_xp.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\mp3lame\lame_enc.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_2003.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBanana_Help.xml	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\MacroButton_72x72.png	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_xp.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvmaux_asiodriver64.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\button_72x72.png	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeter_x64.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterRemote.dll	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBVMAUX_Setup_x64.exe	voicemeeterprosetup.exe
File opened for modification	C:\Program Files (x86)\VB\Voicemeeter\voicemeeterprosetup.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_vista.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_win10.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.sys	voicemeeterprosetup.exe
File opened for modification	C:\Program Files\VB\VBVoicemeeterVAIOs\VBVoicemeeterVAIO_Setup_x64.exe	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win10.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio64_2003.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_2003.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBAudioLogoBlack_72x72.png	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio64_win7.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterLogo_72x72.png	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_vista.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBVMAUX_Setup.exe	voicemeeterprosetup.exe
File created	C:\Program Files\VB\VBVoicemeeterVAIOs\vbvoicemeetervaio64_win10.inf	VBVoicemeeterVAIO_Setup_x64.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbusbgpi_uart.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio_win10.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio64_2003.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBCABLE_Setup_x64.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio_win7.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win7.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmvaio64_win10.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeterprosetup.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_win7.cat	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_2003.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBVMAUX_ControlPanel.exe	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmauxvaio_win7.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\mp3lame\lame_License.txt	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\Voicemeeter_Help.xml	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmauxvaio_vista.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\VBvmauxvaio_xp.inf	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_vista.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmauxvaio64_vista.sys	voicemeeterprosetup.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\vbaudio_vmvaio_xp.sys	voicemeeterprosetup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	VBVoicemeeterVAIO_Setup_x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemeeterprosetup.exe

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	voicemeeterprosetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	voicemeeterprosetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	voicemeeterprosetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	voicemeeterprosetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	voicemeeterprosetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	VBVoicemeeterVAIO_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	VBVoicemeeterVAIO_Setup_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	voicemeeterprosetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32\ThreadingModel = "Apartment"	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver.dll"	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\ = "Voicemeeter AUX Virtual ASIO"	vbregsvr64.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvmins_asiodriver.dll"	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32\ThreadingModel = "Apartment"	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvmaux_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\ = "Voicemeeter Insert Virtual ASIO"	vbregsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\ = "Voicemeeter Virtual ASIO"	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvm_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvmaux_asiodriver.dll"	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368955AF-5482-4057-AB31-D094AF769772}	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{368955AF-5482-4057-AB31-D094AF769772}	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}\ = "Voicemeeter AUX Virtual ASIO"	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\InprocServer32\ = "c:\\program files (x86)\\vb\\voicemeeter\\vbvmins_asiodriver64.dll"	vbregsvr64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9175CF07-885D-46B4-9EA1-4126D6648DE6}\InprocServer32\ThreadingModel = "Apartment"	voicemeeterprosetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAEC28F8-10AC-4BDB-AC16-8CE24BBF8E9D}	voicemeeterprosetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368955AF-5482-4057-AB31-D094AF769772}\ = "Voicemeeter Insert Virtual ASIO"	voicemeeterprosetup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VoicemeeterSetup_v2113.zip:Zone.Identifier	msedge.exe
File created	C:\Program Files (x86)\VB\Voicemeeter\voicemeeterprosetup.exe\:Zone.Identifier:$DATA	voicemeeterprosetup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
2840	msedge.exe
2840	msedge.exe
2028	identity_helper.exe
2028	identity_helper.exe
4876	msedge.exe
4876	msedge.exe
4636	msedge.exe
4636	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAuditPrivilege	928	svchost.exe
Token: SeSecurityPrivilege	928	svchost.exe
Token: SeLoadDriverPrivilege	3208	VBVoicemeeterVAIO_Setup_x64.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeBackupPrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeBackupPrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4804	voicemeeterprosetup.exe
3208	VBVoicemeeterVAIO_Setup_x64.exe
644	vbregsvr64.exe
4928	vbregsvr64.exe
3664	vbregsvr64.exe
2752	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1568	2840	msedge.exe	78
PID 2840 wrote to memory of 1568	2840	msedge.exe	78
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 3112	2840	msedge.exe	79
PID 2840 wrote to memory of 4904	2840	msedge.exe	80
PID 2840 wrote to memory of 4904	2840	msedge.exe	80
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81
PID 2840 wrote to memory of 4384	2840	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vb-audio.com/Voicemeeter/banana.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc66253cb8,0x7ffc66253cc8,0x7ffc66253cd8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,5366007104648505463,3131800813166174407,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Temp1_VoicemeeterSetup_v2113.zip\voicemeeterprosetup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_VoicemeeterSetup_v2113.zip\voicemeeterprosetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4804
- C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_Setup_x64.exe
  -h -i -H -n
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3208
- C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe
  -fC:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:644
- C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe
  -fC:\Program Files (x86)\VB\Voicemeeter\vbvmaux_asiodriver64.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe
  -fC:\Program Files (x86)\VB\Voicemeeter\vbvmins_asiodriver64.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vb-audio.com/Voicemeeter/ThankYou.htm
  2⤵
  PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc66253cb8,0x7ffc66253cc8,0x7ffc66253cd8
    3⤵
    PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:928
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ce99eb35-ca7c-c347-8b83-e874dbbd4a44}\vbvoicemeetervaio64_win10.inf" "9" "43914f2f7" "0000000000000164" "WinSta0\Default" "00000000000000BC" "208" "c:\program files (x86)\vb\voicemeeter"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1576
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce8840c48fa1f:VBCableInst:15.24.8.620:vbvoicemeetervaio," "43914f2f7" "00000000000000F0" "b128"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VB\Voicemeeter\VBAN2MIDI.exe

Filesize
320KB

MD5
0c2cf9740d7e27330a1105d7376364d1

SHA1
52c15fcad864d5fab096ceb2d911796c40d5248c

SHA256
baf390d96ba8f0100af74007a52481bd3825949faf4bcbc259fe47492994d87b

SHA512
74cbbb435c30b17d547ed18a24cce27e560c87ff31a39f6f2c94de070c492e3bb1fa2b86cb30133ad0af272b283658dd42b86f52850f524aa2133868e95a9a22

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_ControlPanel.exe

Filesize
910KB

MD5
6846585cc3d1eb6a0e4cf68e263da266

SHA1
0bddcd4008a16a03e304ab11031a7edfffe09add

SHA256
721702fb9ebf73244d2b4cd3070ab48fa790547c45826445100edd8989e78d67

SHA512
3d2c1c3d96ab9cc6c430619e46719819b5e7bd0ce5b4797b79fac412b9a3282b1f1ce021264e82671f5e70baeeecda09804c46e463d8578a079cf3c6509cf4d9

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VBVoicemeeterVAIO_Setup_x64.exe

Filesize
900KB

MD5
f2add656a75cd81abf4a8980634e92a1

SHA1
e4d53b74d1a1abf41130c350490770226790e920

SHA256
28c6409a5ccebb1f83dc25660d800f95c22ca5eff05978f4e3bc780a50d37b61

SHA512
d9925bdd348a97609a7a167ee1931bf875e3152904c4f447d8c2000af450e26e4433cea4485eded9c38f70b24d2f6a93c21308a9d6546b25e4ddd064190025ee

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VMStreamerView.exe

Filesize
116KB

MD5
0e271f0f95859da190019e98a8e7538d

SHA1
34e61d4257ea5e934b7cc55c80406ee3a0ec524f

SHA256
da1fb95da33e3026d378307eff10cf16c6e978db5d960884c0d6f686800bd7a0

SHA512
343bb094b97768ac96c5306420bdf972e5f9f04e4d692af8c040900b9631ad562ef15a6b72ff7465f795fdc85c6402ef429c94dd977cac06b41c3c5e415443c7

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSGEQ15.exe

Filesize
526KB

MD5
428f5d6c1ad8a8cc1ccb07b7de7b5836

SHA1
250252a7211ad9a4e5efc00f642197959751bdf6

SHA256
54910065ce0530097d6c8cc1463fd208e4ced199868081528a3e4bc8f39d15b9

SHA512
6d86d8db5e948892b16a21ad89df0939aa1bf85eb50322d0d7728724948ce5cf51c01cf4618b4a1ddbd792b00adcf5969a14ed96ee66c366955cf841cc59dbcd

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterBUSMatrix8.exe

Filesize
157KB

MD5
8f90b3cf9ae14522043edba0fe02d034

SHA1
d697d5b8c2130a5c99ab3ee043769a99c44410c5

SHA256
5e26c31db77526c7c76cd88117993772331883e6ab668601727ce10a7e418e8f

SHA512
c90b81fd1c6bd8c07eba3f36432c42fabf013272dda7a359b6cdef0f663541083b9f6758a55b1b62eae24d3cd8fc8ac38af43caf188b3838c98da204e117b51a

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\VoicemeeterMacroButtons.exe

Filesize
1.3MB

MD5
6ba607533dd4292382c3031a2179e57b

SHA1
2f97841599673296b634da98d34d6d08aca70f26

SHA256
bb1446b17aa4c50c0e1448b87946c0bfd347b3837f3f4b64ec61f0b2ca0bcaf0

SHA512
a58d35092de8cfeb72d5311917643f39d367b782447180b02959e51b2362e22656d38dfc54c1e5d8b659308fc4ff50f22cb3c97cbb9892b6e1f1ab20f15b1f06

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbregsvr64.exe

Filesize
47KB

MD5
a8442fae07f1a7edca6fa2e0e94c2059

SHA1
d30851d5e11d9e87bb99ab4ecfaec2099b7e1156

SHA256
f2b62bef11048c74a7d1b2cd8e217738b3a7d627de6d001b298f034116626e6b

SHA512
ca0de0d6e28864f84dd09ea38846eef0920a8cd63dcb950e9cffb9c0be057b0aa9cb59f209fe8181962c605924d2e77c837e2b3ed45fe700edd24a3cf66e5ac2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver.dll

Filesize
104KB

MD5
a892e96083fc604983440f94fd6cc591

SHA1
68ea2da5591b9607074796ff5df8c0dd26ee311b

SHA256
f29948019d4c4eb07b9a0ce5fef7cffb877617b1959fb5c90f52890be541eb64

SHA512
92a9d802cce5552dd076a99d0162ed2db555e815daac1aa71164fea90ce145908983486d67dc7512e2b5dae16de2e28b4aa96693b33a1c290b9666fe8abb35d9

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvm_asiodriver64.dll

Filesize
122KB

MD5
fc454e758b637695f756bff5efce6117

SHA1
33ee4d6bf58ad222b46366792e343563b7385f1d

SHA256
f8d17fb939f6cf7f2a4ea42ad1925bd67ec51c88e43dbbf4c4296aa4499b80a0

SHA512
6104e0648a6a6c0cbf6abbe7043a8124c201a54505d8cac62493403d7cc5c59cd59d8d423bcdf0acfd48ef68dd818a662ab0eabb0f2e0ff88cebfa45b0f3ebd0

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvmaux_asiodriver.dll

Filesize
104KB

MD5
dd808d08690337397d0a789b4ea635b6

SHA1
23ffb973f6471b8fa4111dc2271826f4c96d1df9

SHA256
075f0bb1449beb617ae489de09577ab30d1c7414f6541e26b975071995beb7dc

SHA512
2a92be83080ac64b89a83f38336f2e2dad9e5dd8fd71ddfc22287aef8712986b715975747ba4d8b8fc43de5cc8b018e29345c05aef36540c9ad5d6e25909dc00

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvmaux_asiodriver64.dll

Filesize
122KB

MD5
ebb4e1068c19da9f75b30979d72b9fc9

SHA1
86788c9d610b1a68e76949fc7570f71d369a2606

SHA256
33fa84911f9ade10ba9c796f99afa3948ef0a6011e2e707289a50629af231ea8

SHA512
bb110169a79e924b7c630604a4fd733cb6a907d66b1e79ad45dd3ac68fd968422c93911b00ac3a6b03446195803ac600aaf85e9dbf6c15e1ef92e4e612e3e1b4

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvmins_asiodriver.dll

Filesize
104KB

MD5
e84fef568e6bb6f1d5a19cf6d0ece326

SHA1
893a67b6132b3160c9b35d4efa55d5afb2b3db7b

SHA256
04bf4055bee6e494fbe6a5a70dc6171ab7888f06f5c9a500f28f493273a9053e

SHA512
5b0f221c4eaae9b18483d6ccfabbaad01e12b6cf9b51d233402cb2fd586dc2bfb6733c9d40409a50330546e98e415ba4720cb284fdd0923c6a82ef08d5b9f0f2

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvmins_asiodriver64.dll

Filesize
122KB

MD5
19387222bd35f74adab6c1716f1033df

SHA1
1d49066d297ab67a105a6c67e12a171c041d2ca7

SHA256
d19d5e0fddd96f846c8bb1e606d180440fcc26eed1c4b5ca464d73da8e980c0e

SHA512
38ddef4885a211ce131134616b518ac7ebf39c30ce9eecd65e281240193b7f6f140b5aa634d8d600fd655f28c3a455c69f7d918b42f9e9772cb6da6cccc79740

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\vbvoicemeetervaio64_win10.inf

Filesize
25KB

MD5
0e85af48ba3f47e3b9dfba7313a86df4

SHA1
eb3d8d1f889916e6f760cf838242945b9ec79c75

SHA256
6125d25e93794e8fc993d68a5196b905f9b70e5f194cf5358591203e34bf7ce1

SHA512
8a846085be46557bb57cf735442a7745b0aab745ed86828648765593b5b49f29464163de0e819dcae250b82da46c1b9b59f773c2ef86d2ac01ae3026e94bbcc7

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeter.exe

Filesize
7.3MB

MD5
0b6eb5fa4358d873bc2daa5b07b75ccb

SHA1
5060d4903845104b31f166508756e8ebab969d07

SHA256
b253bbfad7698b85c99e5a6ca2e1346bbcbae8868a5edbe7977a6c8fb8a44945

SHA512
12d5d1c0cb290dea650e37c92104f725f0060cf5ad2baedf10ec823c40c804734caf933a85c7d32ad0eff830bcd19f2d8c6274f76ae4ed7a9af9e4a00d17ffc0

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeter_x64.exe

Filesize
7.3MB

MD5
d3dbc8c172b641f1f0324de0b8ef8807

SHA1
6d825764d5dda0fd05a6cf4a32dcd7b124f53534

SHA256
a17ca82508644af1a15920016df61153f338c3ff4a134ca43e5519aa675a1069

SHA512
5c6a7b583fe7adedf915ed8b08e894ca3b709efa47523bf517d6221bed16f215cb793222ace3d730ecc35363aee95183bb58b2398aa633f58dc52692f5b04e57

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeterpro.exe

Filesize
8.8MB

MD5
384c4fa87114d3a51463ed6f37166895

SHA1
472a686ac28c4132a77e9357f7402f052f280b7f

SHA256
5f99ec86e2c6c555b0c0506dd8fbdf523f88029840720a3fbc5a7a8b395edb56

SHA512
f51797aeae84aba12f2ba05b07857838aaac3ff8ef06eeb8281f8e392e7851d3f3d719be822470b8fa2aee348a37840d4699ee7ced41b6de3a997fc4f4bf782b

Download Submit
C:\Program Files (x86)\VB\Voicemeeter\voicemeeterpro_x64.exe

Filesize
8.7MB

MD5
8d895705d47f948584ef49d16c41775b

SHA1
6037d43475e7b332c608f905ee21c854e8aeca8c

SHA256
0d82dd532efbb6e6e6e5ec1467b0050f5db4ea0f52484995cf844e4424e3a81f

SHA512
41a34a5a93e7cdea924b242d918b25e770ca8029733803948e4542f7df8cfce075e9bea0f9e008643f544e9468d5c504d03051a25f4d7c2dd09801b0b8a88847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
213af7ac1aa72e2c0c316743695b7cd0

SHA1
c93bf2de82958073a23b3a495356118ef718cecf

SHA256
f5680671f5dc330f962eb3de4164654e2c17284ac3a109f687ddabf104e25ce4

SHA512
d0e11f42a046682805d18a0a133df1c8c4272b94117de503dd4992c34f93e516b7decbf77496f45768aeb1a95f1493f74f5ff732e9b42efa6bff1b47e9b0c1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
97KB

MD5
a5943aa35de66dd30b0c48c25ca6d839

SHA1
bbad68a74ae67e1059b1179405b84a84c1972d53

SHA256
52052a78f69c6f800f32e32e8065e1508b0355d2eea9f13efd75dc38ed25986f

SHA512
cbcb60586eee6dee0fd980f79ab329ae28fefb3aee11c438ca1571f92b840a836287e703395b6f70fc47526a58460d613f8139c17d7fbada6a7904e19eb97b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
20KB

MD5
66db0ea78d6b40afe805f1f5dbae55b5

SHA1
b1ce78beec892f7e34c449256498d6e05ce2e2dd

SHA256
48cbfeeb25606ed38547c42ba53f05382806d8bdf275c255eed495f0eedc01c8

SHA512
d52e3298f7f845323a35b32a2b2734675e5644871bae63d06e450b181312e6702aae466c320c88758c20735dd1dc41d59cbab06566ac7d016a47123aaec80094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
32KB

MD5
d3e02746da373fc8d16648d056b05a69

SHA1
041d8e4b0adf19cc12875537c45474f09017174d

SHA256
6e9e96955e27bbe6308b017da2f3622d737ff0442e997b895c31039d105cf731

SHA512
64e4c4f83c875a0260ab382501361033d4ef3a8d4ab30e7e8673dac4f4b05274e87b656ddf7348bed3d5fdb6abe5645512aac93693b8cec3db5e11a8f669cac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\335e69ddec2b9ac6_0

Filesize
212B

MD5
cbea768d00e1d1cfe9d61e4ba676eb9d

SHA1
5f169da31cc71a9e4207fa9fd80ab31538c24787

SHA256
0e5e4c4ce6be8d4e9ba594af33192498fa632cc092a4946a3214a053a3f91a2d

SHA512
36059ebb0d0dcb827bb396892326d4e3c4d143b43797239341a495cb6e7b84698d20c7cfe521fe489ef50d8b0d9904944df9f4b58eeb617896365fdcd42913d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
eb1ccbf0dc748af5d7175b9f5928a0e4

SHA1
74e29888f28c95043b28ebb0c5ce439b2747e0e0

SHA256
0493cef9ae5ba34c98cbb839330c353845cdc367e6ce9c2668d4cf2d4d078420

SHA512
4c05d9f0646299a7c6d742f28a475fff276136548824b4d8cd051f741c89cf619691b2d37269eb1e992acf077c4fd0bd8c3a66c013a67db1fd827d683cee65c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
20d456095a6972d648ec6fc11d434088

SHA1
edaf934630603326dab5b6e26d3074e007543af1

SHA256
8d7c8fe5e896b893d2fd559ad50445ea41121196f9a24979369bf927c3e3bd48

SHA512
cad8bdd8c9dc4d2ea4b287ac7de977357ac8e02d236a1c7a7ad0a51413a499d576d201af45c159d06e52d252406302396ffb9cc839c78b108dd7cf0627bd96fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30b5ff8285ebad3597acbed5c54fa685

SHA1
7629e4d66464bf05a63f01530337604df893676f

SHA256
41d33ee81724a2398e1a95ce06a48961e588ddbf4f089adc487fa154c411bf07

SHA512
32cb80a06e1b3c493e5de061ee701e49aa334c065dacf3e779be056478f341ba880a6be2c1cf68f39da68288706f34fcdff1094f323fbcc83d47190bbcf11c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7451187bc1f6c831c884bedc56868ed

SHA1
a4fd8a6c09648b008fa576dfd5e5e706490beb16

SHA256
5ce77c5ccf66668f28b9277f5a533392d8bfa90da43fe5add3604d4164673cc6

SHA512
2c8609f0d1a14badaf13cb8b26fee51d12d9c6b06ae104af3943a5f8f80aded5018e725842304b0ca8bc766747518bbc72ec4873d730ec2099eeda6e185d22f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a17002137eaf04286394d45dc67b2b11

SHA1
34c037339db6509ff00245c3863cd3149d901786

SHA256
b50c7af81c512e0725932d6382e3a6b2933442f4d8fa2ce69e3a7194ab8e3432

SHA512
843ccec3b86f74895bdc38bdb4aee037c77d0bb34395d8e3890a1373ea3006ba198618da9af1deb94c44a463e84ce99c8f9831060a5ab2e51829c3bbf5a4eb20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cb2d385211b50245d19d3f39cf32828a

SHA1
dd255436482de083f91db0ea332676d9c169e5c4

SHA256
e28252c03a5dae11e3e84ddc008b149cd8495884580fbbfef2accf8bcf0e7e8e

SHA512
f9e70ba30819d956a47a12de059b75eb95edf8fa410be5d43bd88b8c25a5815713161bf8496a7f05d7933eb900a0d9ffa0d0fe4249aaa987382bd768e8354c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9759a3e0ec5af536fbddad7953a6b12e

SHA1
aeec80d14b36f95f26ad03adce76e8219d32b67c

SHA256
71ca429197ffb43c8f0053e2262a10856033ca41262f1f80f6246453d5b71329

SHA512
d95504bd70259ed24579ef6d4144a913e9521f892e2312a442b865a494d0dccca1da62387bbd3a76f3a44ad4aa62b8114cf6770e485d5dc99bddcc56ebfebffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
693071f68abbb6c32b5243e4f2f24da8

SHA1
f070fa0be0019d9daf2f0a857b8d4d6a118ef594

SHA256
ac11f6ea065767bc4926ed5c7962e210753575a3e10fb3c99f229d6098675192

SHA512
9f3fc764469b35993571093ff988ba8e9a42976c7053faeacfc1005f221c0530b683d12acb58e0e6a78bc207611c3729a56ab9b8dc072e3fd9a5b62e31d22e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e129144736782cfd2049f2f1fc44cad7

SHA1
8a182a84226569fc2797cf02ea24724e124d2115

SHA256
22498ce488bb797502afc09f43496ccbc27c1989acd8b2af7534f68146626547

SHA512
612c570d4f370d7c9a164bef23d12859f00955cb24008dd32a9efbe87de73f11bdb772c94fd7f783cb8baefd3b4e5955a96ad3777cbae97d590c6b46367f15e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8abf0ad2bbb19ff2d970949d9be8f719

SHA1
322af41f6e9e94fcf1aeab1a86bdc1dc15dd540a

SHA256
86409b3a72f4dd3e9def7b47b4da52a13b65e4083fb9a5c18d62f8a2fe0bc91d

SHA512
dece020f29e36f435d418c770f34a5adb510a4178020d4834eb7bac686fa7df5db590d5f6d517b00818ef287442b3d0b54c2641a084d0a6fe7a49eb9785e3214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
756047fe9f961d430fd8b00a08d0de4e

SHA1
ea8a58ac70a9277a8ed640ea1f0a6cce06b1f1c4

SHA256
cdb8f3d5affd030b588e58686a85e15281ac30ed94b26801e7e681c7c32e1c7c

SHA512
9f1ebf8659ff608f669e5f4dc0fe232f33f9829b5e3d58c33d23f7c729bcd6ff5152d3c6de2016b5d0456c65e0dab0ecefe81e929f378125751b90e02df58fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
552db1d3ce31f5ea1d5fee8a12b84d86

SHA1
e2c565b2bad906483c7fb3954b18af11c34d50db

SHA256
e4be88478ebaa68fcf08af6bee8610dbe149fbbf31a5be94aa5770153804e4f2

SHA512
0ca513deb55f042c8c037215842344199b15108827196d07d94c00994805031445bae710b1e0d14639877960bc511b2474bfd3a2bc53e48d68a890f76a7bdae0

Download Submit
C:\Users\Admin\Downloads\VoicemeeterSetup_v2113.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\c:\PROGRA~2\vb\VOICEM~1\VBVOIC~1.SYS

Filesize
289KB

MD5
a18ec39d760706247981266e4f3018ad

SHA1
39dca47f7905e684826c32bc5e98d977b508f906

SHA256
a01a4a567abf278d300626f19f14518715375d912c30d613ea6f41e91bd2dd14

SHA512
81eeb22accbc82acdabcd3dd036e3c3f7181874387fbfabee90d40e0785be98dd49c4d13f8a0500b71abc0a02d7622ab4f2da5f34338476faa2116edcf5d9ce7

Download Submit
\??\c:\program files (x86)\vb\voicemeeter\vbvoicemeetervaio64_win10.cat

Filesize
11KB

MD5
1e9e3e47ea88f9bfccc7fb142cdb9cbd

SHA1
51372978bcc339edc7ac2854ff14c4bea02afaf2

SHA256
dddd2b4fdb8653821efb775b41e2c696e4cf93a23564fd199a6dbea4147cff83

SHA512
a8287fcc300b5a69411a824f075741f47cc120220706280cbebacfc56132e5a2e9a4eb4ad217c9c6505e48057eadfa9d3fca83fda453364b952e7d49ec8cdf3f

Download Submit