c13cf348d683b93587c916046060a76c280e9aa38b8427ee47b316dc9540c5bb

Analysis

max time kernel
1603s
max time network
1608s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
Size

98KB
MD5

ebf75d28c7101b265932766c384d841a
SHA1

58affa66fd8ad5510532c04db52c537670b98587
SHA256

c13cf348d683b93587c916046060a76c280e9aa38b8427ee47b316dc9540c5bb
SHA512

811e78cb6f4da53900f3686de817c87a8062e16a865761d80d807474c6c23919719f70d164b1e823035a6b1d195b56b45dc92f7a74fa56079bc8e2ee4ec25839
SSDEEP

3072:ykBGWOsTIJgIDU5A/czY6tCNe6y4wMD9ZGYmfxO3:y1ssjuttCtb6+

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

5 1788 msiexec.exe
7 1788 msiexec.exe
9 1788 msiexec.exe
Downloads MZ/PE file

flow	pid	process
5	1788	msiexec.exe
7	1788	msiexec.exe
9	1788	msiexec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\SETDFE5.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SETDFE5.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vbaudio_cable64_win7.sys	DrvInst.exe

Executes dropped EXE 5 IoCs

Processes:

VoiceAI-Installer.exevac.exevc2019.exevc2019.exeVC_redist.x64.exe

pid process

1756 VoiceAI-Installer.exe
1236 vac.exe
1948 vc2019.exe
1964 vc2019.exe
968 VC_redist.x64.exe

pid	process
1756	VoiceAI-Installer.exe
1236	vac.exe
1948	vc2019.exe
1964	vc2019.exe
968	VC_redist.x64.exe

Loads dropped DLL 17 IoCs

Processes:

Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exeVoiceAI-Installer.exevc2019.exevc2019.exeVC_redist.x64.exe

pid	process
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
1756	VoiceAI-Installer.exe
1756	VoiceAI-Installer.exe
1756	VoiceAI-Installer.exe
1948	vc2019.exe
1964	vc2019.exe
1964	vc2019.exe
1796	VC_redist.x64.exe
1756	VoiceAI-Installer.exe
1756	VoiceAI-Installer.exe
1756	VoiceAI-Installer.exe
1384
1384
1384
1384

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VC_redist.x64.exeVoiceAI-Installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{2aaf1df0-eb13-4099-9992-962bb4e596d1} = "\"C:\\ProgramData\\Package Cache\\{2aaf1df0-eb13-4099-9992-962bb4e596d1}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	VoiceAI-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voice.ai = "\"C:\\Program Files\\Voice.ai\\VoiceAI.exe\" start"	VoiceAI-Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

DrvInst.exemsiexec.exevac.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vbmmecable64_win7.inf_amd64_neutral_ffa78ae84c13ca8c\vbmmecable64_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	vac.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	vac.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17D6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\vbaudio_cable64_win7.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\vbmmecable64_win7.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vbmmecable64_win7.inf_amd64_neutral_ffa78ae84c13ca8c\vbmmecable64_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17D6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	vac.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17E7.tmp	DrvInst.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{30656bf0-8c3d-07e4-8f42-3246df7dea51}\SET17E7.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

VoiceAI-Installer.exevac.exeVoice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe

description	ioc	process
File created	C:\Program Files\Voice.ai\locales\te.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\certutil.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libsndfile-1.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\version	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\da.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\de.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\gu.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\pl.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\pin_in.ico	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\DriverManager.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\onnxruntime.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\fa.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\chrome_200_percent.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbMmeCable_win7.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\lv.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\v8_context_snapshot.bin	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libcef.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vbMmeCable64_vista.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\sl.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\d3dcompiler_47.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vbMmeCable64_2003.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vbMmeCable_vista.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\et.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\he.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\DriverManager.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\pin_out.ico	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\sv.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\uk.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vbaudio_cable_win7.cat	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\en-GB.pak	VoiceAI-Installer.exe
File created	C:\Program Files\VB\CABLE\vac.exe	vac.exe
File created	C:\Program Files\Voice.ai\meta	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
File created	C:\Program Files\Voice.ai\libsamplerate-0.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vbaudio_cable64_win7.cat	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vac.exe	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbMmeCable64_2003.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\vi.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\zh-TW.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\BugSplatDotNet.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\CefSharp.Core.Runtime.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\cudart64_110.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\hostpolicy.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libEGL.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vac.cer	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbaudio_cable_win7.sys	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbaudio_cable_xp.cat	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\AudioConverter.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\NAudio.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\hi.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\it.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ru.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbMmeCable_xp.inf	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\CefSharp.BrowserSubprocess.Core.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vc2019.exe	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbMmeCable64_vista.inf	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vc2019.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\sr.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\net452.exe	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbaudio_cable64_2003.cat	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vbaudio_cable64_vista.sys	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ta.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\pin_out.ico	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\VoiceAI.exe	VoiceAI-Installer.exe

Drops file in Windows directory 35 IoCs

Processes:

DrvInst.exeVC_redist.x64.exemsiexec.exeDrvInst.exeDrvInst.exeDrvInst.exevac.exeVC_redist.x64.exe

description	ioc	process
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File created	C:\Windows\Installer\75aa37.msi	msiexec.exe
File created	C:\Windows\Installer\75aa39.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\75aa27.ipi	msiexec.exe
File created	C:\Windows\Installer\75aa4b.msi	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\75aa25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\75aa25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF040.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\75aa27.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE67E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vac.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	vac.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File created	C:\Windows\Installer\75aa36.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\75aa37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\75aa39.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_1
\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_2
C:\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_1
C:\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_2
C:\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_1
C:\Program Files\Voice.ai\VoiceAI-Installer.exe	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeVC_redist.x64.exeVC_redist.x64.exeVoiceAI-Installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\203A181AD6F3DAB4798A4A626A94D987\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\PackageCode = "09139770F15A2384695CFEF667B84B3C"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{A181A302-3F6D-4BAD-97A8-A426A6499D78}v14.31.31103\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{2aaf1df0-eb13-4099-9992-962bb4e596d1}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A977984B-9244-49E3-BD24-43F0A8009667}v14.31.31103\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976\VC_Runtime_Additional	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\shell\open	VoiceAI-Installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.31.31103"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{A181A302-3F6D-4BAD-97A8-A426A6499D78}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\203A181AD6F3DAB4798A4A626A94D987\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.31.31103"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\shell	VoiceAI-Installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Version = "236943743"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai	VoiceAI-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\Url Protocol	VoiceAI-Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.31.31103"	VC_redist.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{A977984B-9244-49E3-BD24-43F0A8009667}v14.31.31103\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\shell\open\command	VoiceAI-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.31.31103"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.31.31103"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle\Version = "14.31.31103.0"	VC_redist.x64.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vac.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\00859AAC6A54B8C1B3C139DE67846E64E7B82DB2\Blob = 0f00000001000000140000000d44620e0a9c6b3ebe2ae9fc1a483595d4d38a8903000000010000001400000000859aac6a54b8c1b3c139de67846e64e7b82db220000000010000008e0500003082058a30820472a003020102021007acf5c5a754daaf4cd6bd1d74791d59300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3133313130323030303030305a170d3135303130313233353935395a3081cd310b30090603550406130246523111300f06035504081308446f72646f676e65310e300c0603550407130545796d657431243022060355040a141b4e6f204f7267616e697a6174696f6e20416666696c696174696f6e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632311d301b060355040b1414496e646976696475616c20446576656c6f706572311630140603550403140d56696e63656e7420427572656c30820122300d06092a864886f70d01010105000382010f003082010a0282010100e6226548adb62b60644356757218468aa2d8750aa9825bd8203a8111a427954f76fe6a314972e82f2d2f195ba265ff5771b25944cdf19a23154ed158e0e155b5e40039308767973fa0ac9840f64845c5544e7e1b91dffe3152718630ef09869202101e260f91664b118f3963512d6201c4077ac0fac4fe70600faf75fc409666771304eace525dbda197d2a48ae1a98d047c5c41129875127edd88a523b3f75a1c599227f64d6cf705a9876ab98498cd32d77b20eee6e43ee4d4c6208732a7669646abdacb803c9da676a0f4b76b47efa9631e56a8d91b0aac17784f0f4985bc06f30d9def190f8a155b89d40ba4ba8dc3ef35efc9014cbfacb3664819f521010203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100039480fb57bc9effd89b207713a34f2ef573ffbdbae493bf86b7a9368198d72d912cd90f01bf9dec635c524e6060f074597350ae391d86d9c612543f12e4d3cf631ffa4c4486b87313186d9adf51bc1070cb5204910999a9c9f889002f7c897ac8b83589d731178fc7f4f9c92d10d89ac87da1ad580e971023be067bce9ce0f93dbdd5ff30c17836057551997afa48d78b04d5f942c8f32b76ec3a48c67847eee3b095d825ae005416d58b7d1ee13ae2fea1f7a677ce2a5d75c837bc7a84f35c3b25316bbd4ec3efb88e1337a2f11c5a5132e1aeeade821b41ed41329af5394fb3c98af759e7593cd7e858051d18d49a48b05e9839472b31e0423b9be3627d18	vac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	vac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	vac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	vac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	vac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\00859AAC6A54B8C1B3C139DE67846E64E7B82DB2	vac.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exemsiexec.exe

pid	process
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe
1788	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exeVoiceAI-Installer.exe

pid process

576 Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
1756 VoiceAI-Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vac.exeDrvInst.exevssvc.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	pid	process
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeBackupPrivilege	1780	vssvc.exe
Token: SeRestorePrivilege	1780	vssvc.exe
Token: SeAuditPrivilege	1780	vssvc.exe
Token: SeBackupPrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	560	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	2020	DrvInst.exe
Token: SeLoadDriverPrivilege	2020	DrvInst.exe
Token: SeLoadDriverPrivilege	2020	DrvInst.exe
Token: SeLoadDriverPrivilege	2020	DrvInst.exe
Token: SeRestorePrivilege	1236	vac.exe
Token: SeLoadDriverPrivilege	1236	vac.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeLoadDriverPrivilege	1448	DrvInst.exe
Token: SeRestorePrivilege	2044	DrvInst.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exeVoiceAI-Installer.exevc2019.exevc2019.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exe

description	pid	process	target process
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 576 wrote to memory of 1756	576	Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe	VoiceAI-Installer.exe
PID 1756 wrote to memory of 600	1756	VoiceAI-Installer.exe	certutil.exe
PID 1756 wrote to memory of 600	1756	VoiceAI-Installer.exe	certutil.exe
PID 1756 wrote to memory of 600	1756	VoiceAI-Installer.exe	certutil.exe
PID 1756 wrote to memory of 600	1756	VoiceAI-Installer.exe	certutil.exe
PID 1756 wrote to memory of 1236	1756	VoiceAI-Installer.exe	vac.exe
PID 1756 wrote to memory of 1236	1756	VoiceAI-Installer.exe	vac.exe
PID 1756 wrote to memory of 1236	1756	VoiceAI-Installer.exe	vac.exe
PID 1756 wrote to memory of 1236	1756	VoiceAI-Installer.exe	vac.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1756 wrote to memory of 1948	1756	VoiceAI-Installer.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1948 wrote to memory of 1964	1948	vc2019.exe	vc2019.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 1964 wrote to memory of 968	1964	vc2019.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 968 wrote to memory of 1524	968	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1524 wrote to memory of 1796	1524	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe
PID 1796 wrote to memory of 1076	1796	VC_redist.x64.exe	VC_redist.x64.exe

C:\Users\Admin\AppData\Local\Temp\Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe
"C:\Users\Admin\AppData\Local\Temp\Voice.ai-Downloader-alphaver-97d479c7a7e743d5a1972269557f7430.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:576

C:\Program Files\Voice.ai\VoiceAI-Installer.exe
"C:\Program Files\Voice.ai\VoiceAI-Installer.exe" /path "C:\Program Files\Voice.ai"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\system32\certutil.exe" -addstore "TrustedPublisher" "C:\Program Files\Voice.ai\tools\vac.cer"
3⤵
PID:600

C:\Program Files\Voice.ai\tools\vac.exe
"C:\Program Files\Voice.ai\tools\vac.exe" -h -i -H -n
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files\Voice.ai\tools\vc2019.exe
"C:\Program Files\Voice.ai\tools\vc2019.exe" /q /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Temp\{A7239E96-FB33-4573-9F2D-D23D61F226CB}\.cr\vc2019.exe
"C:\Windows\Temp\{A7239E96-FB33-4573-9F2D-D23D61F226CB}\.cr\vc2019.exe" -burn.clean.room="C:\Program Files\Voice.ai\tools\vc2019.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{2E6D2027-31A4-4654-9B57-7811F1447ECD} {1DAEE3C1-1FAC-4360-A2F0-3EE77C079118} 1964
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:968

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={2aaf1df0-eb13-4099-9992-962bb4e596d1} -burn.filehandle.self=504 -burn.embedded BurnPipe.{68930801-E96A-490D-B6DC-4EFB6E8BB2AF} {CD464719-6E2C-40F4-90DD-BD0B73CBE5BC} 968
6⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={2aaf1df0-eb13-4099-9992-962bb4e596d1} -burn.filehandle.self=504 -burn.embedded BurnPipe.{68930801-E96A-490D-B6DC-4EFB6E8BB2AF} {CD464719-6E2C-40F4-90DD-BD0B73CBE5BC} 968
7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DE7EF0C6-C018-4F76-8856-E5A310FC6705} {28866F65-85BB-4966-9AF1-C81B412A805D} 1796
8⤵
- Drops file in Windows directory
- Modifies registry class
PID:1076

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5a330f11-d1e9-3d16-6416-9f283ccc271b}\vbmmecable64_win7.inf" "9" "612cfd737" "00000000000003D8" "WinSta0\Default" "000000000000059C" "208" "c:\program files\voice.ai\tools"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "0000000000000534"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "vbmmecable64_win7.inf:VBCable.NTamd64:VBCableInst:1.0.3.5:vbaudiovacwdm" "612cfd737" "00000000000003DC" "00000000000005C0" "0000000000000534"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005C0" "00000000000002A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voice.ai\VoiceAI-Installer.exe
Filesize
751.1MB

MD5
2e8affe8fb9976cbe61971af5877875d

SHA1
6bd3446cb3a054515ef2d44501c057020d0e2ee9

SHA256
7bc36ee215478a6764e3d9495087ed22c919a4ab975692627e9e21abd8441bda

SHA512
7051ca7b52d219394d0f991900cc9de89f304f1093711b3ef6715e33e3ca991d992baa7945207043f9ade1a066a5731e047a2d7933253df638daa6c12a9378f0

Download Submit
C:\Program Files\Voice.ai\VoiceAI-Installer.exe
Filesize
751.1MB

MD5
2e8affe8fb9976cbe61971af5877875d

SHA1
6bd3446cb3a054515ef2d44501c057020d0e2ee9

SHA256
7bc36ee215478a6764e3d9495087ed22c919a4ab975692627e9e21abd8441bda

SHA512
7051ca7b52d219394d0f991900cc9de89f304f1093711b3ef6715e33e3ca991d992baa7945207043f9ade1a066a5731e047a2d7933253df638daa6c12a9378f0

Download Submit
C:\Program Files\Voice.ai\meta
Filesize
65B

MD5
f3ff3cdcd5438fa5f5e35d891bd7b495

SHA1
d3687cad391e15a5d68a65aeb3eb2bf580fd073d

SHA256
16abbe804c70bb0ff095db249b3bc99d536f3b6849c3bbf63f0cb2dc97fbfa59

SHA512
9b2d5495b495729fc86b8a8571b97e487a4f3e9c955afcb0698f4f0362c8b73f7ff8c3decd770696bcf943f25a0d048b9a2d978ac4f15da47d41a1b506ab7fa8

Download Submit
C:\Program Files\Voice.ai\tools\vac.cer
Filesize
1KB

MD5
21a8049b1deb3102813b875fbcf3ef00

SHA1
00859aac6a54b8c1b3c139de67846e64e7b82db2

SHA256
db9f6f54a13ef2ede5a8a7ba69dc841dc0711ba77ae7b173dd093e8455a4ed7e

SHA512
4ae42ee6c591a6377c36d53fa7a5971e30ca6a68744aceae64582b86f8439a161d806321e36dd01c2806f0f21a9909cbaaccd0fc467d8cdd0a1ff11887a987b0

Download Submit
C:\Program Files\Voice.ai\tools\vac.exe
Filesize
901KB

MD5
aad9093bc9182081a386325d9c931f90

SHA1
1d06ad447b60b147c05369e6e761e1aa8ba7a54d

SHA256
186892503330970c8e8d561adf9b71bd15cd93589306ec00fa60009ebf611ee6

SHA512
cd56bf05b32df0314e9f70e5808813c78a0b687e55426d2f333c835412e1631befc84af72fb31d00eff41e180aea021b719f57033f92474063a9629ceca54225

Download Submit
C:\Program Files\Voice.ai\tools\vac.exe
Filesize
901KB

MD5
aad9093bc9182081a386325d9c931f90

SHA1
1d06ad447b60b147c05369e6e761e1aa8ba7a54d

SHA256
186892503330970c8e8d561adf9b71bd15cd93589306ec00fa60009ebf611ee6

SHA512
cd56bf05b32df0314e9f70e5808813c78a0b687e55426d2f333c835412e1631befc84af72fb31d00eff41e180aea021b719f57033f92474063a9629ceca54225

Download Submit
C:\Program Files\Voice.ai\tools\vbMmeCable64_win7.inf
Filesize
4KB

MD5
498faee2de63c1c428900920203fdf9b

SHA1
221fc3eeff0de46d01e8a4ce0561ecbfd6b6e1a0

SHA256
da35387ccfe813f5c553bb7e0caf4e67adbb4429e742c2bd3c2014f80e6ec516

SHA512
8dec1aae8137aeb1d5fd9633eaca3da6841dcca3aac927a6ee4278f846fefbedd93d0313520c1810bd50dd4ceb6276e2d724ecf4473b3e459fece659dc0bb95d

Download Submit
C:\Program Files\Voice.ai\tools\vc2019.exe
Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
C:\Program Files\Voice.ai\tools\vc2019.exe
Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
C:\ProgramData\Package Cache\{2aaf1df0-eb13-4099-9992-962bb4e596d1}\VC_redist.x64.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20221125160914_000_vcRuntimeMinimum_x64.log
Filesize
2KB

MD5
660d2266880de25e7cf3b0c7851af9df

SHA1
30856a7d289f01f093077a5d3cb252e4662d073c

SHA256
ac36e57d8fec7398fdc29c6847560e00c6538a123a168985e537c00699e94a0e

SHA512
12fb006780cff9d08a3561c7a812b460e1afc34ea2b8de9c487b0a5046d1f72830c3b9cd67da6b3b8b6e09e15ebfa193a36ab29b2aa41560e9385d206c7dbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20221125160914_001_vcRuntimeAdditional_x64.log
Filesize
2KB

MD5
8bfd23ae32be24980bdc2855890ba369

SHA1
0277dc8e460718f9748150c91f1bd9a95c01fb49

SHA256
434ab4295b6d5aac04dd7432adae2d65363f74ffd231eada39401af8ce61688d

SHA512
3bf0efa235d6938ad1309920f7715a5dd577b236bff8c29aae2e08d4fe8fd442d5e2b91e7eb6ac9df63b2e39b3efae77911e8ef1976ef4adb7c625e52d7d615f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5A330~1\vbaudio_cable64_win7.sys
Filesize
40KB

MD5
e7204d7fd7362f0efaa502a4cb91ca1e

SHA1
6ca8b4db6f9887b96dc1a38db85c688bb6b7ac5f

SHA256
c7f3be383c81ab9aa642479f95872e40e19a4cfd72d4c8d7de80abc11b713e21

SHA512
70f5b6356e42c88cb0e4ce65e6d2f4d634b057609ed1423339194d762e5f9a5125cfb87be919d5692f289f2bca9a87b01805d86840ecd4cd9f43ffc06e22d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5a330f11-d1e9-3d16-6416-9f283ccc271b}\vbaudio_cable64_win7.cat
Filesize
8KB

MD5
ccc4faa1dc627221bd57272444b4e71f

SHA1
43b6375973b67be4b269ca3a978458a0b6e31df5

SHA256
800b541f06bba3925ba058e7cc7ca837cfd4d845e073309eb2a9d36a2626403a

SHA512
754e9c25c330cf314775e93295975c1ea293e1849adc180a2d17f321d7b1f10e4d24a4001f39c962076fdfc022b1f916aa82bc8dcca85f381f4fc714f479f08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5a330f11-d1e9-3d16-6416-9f283ccc271b}\vbmmecable64_win7.inf
Filesize
4KB

MD5
498faee2de63c1c428900920203fdf9b

SHA1
221fc3eeff0de46d01e8a4ce0561ecbfd6b6e1a0

SHA256
da35387ccfe813f5c553bb7e0caf4e67adbb4429e742c2bd3c2014f80e6ec516

SHA512
8dec1aae8137aeb1d5fd9633eaca3da6841dcca3aac927a6ee4278f846fefbedd93d0313520c1810bd50dd4ceb6276e2d724ecf4473b3e459fece659dc0bb95d

Download Submit
C:\Windows\INF\oem2.inf
Filesize
4KB

MD5
498faee2de63c1c428900920203fdf9b

SHA1
221fc3eeff0de46d01e8a4ce0561ecbfd6b6e1a0

SHA256
da35387ccfe813f5c553bb7e0caf4e67adbb4429e742c2bd3c2014f80e6ec516

SHA512
8dec1aae8137aeb1d5fd9633eaca3da6841dcca3aac927a6ee4278f846fefbedd93d0313520c1810bd50dd4ceb6276e2d724ecf4473b3e459fece659dc0bb95d

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\VBMMEC~1.INF\vbaudio_cable64_win7.sys
Filesize
40KB

MD5
e7204d7fd7362f0efaa502a4cb91ca1e

SHA1
6ca8b4db6f9887b96dc1a38db85c688bb6b7ac5f

SHA256
c7f3be383c81ab9aa642479f95872e40e19a4cfd72d4c8d7de80abc11b713e21

SHA512
70f5b6356e42c88cb0e4ce65e6d2f4d634b057609ed1423339194d762e5f9a5125cfb87be919d5692f289f2bca9a87b01805d86840ecd4cd9f43ffc06e22d5e7

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vbmmecable64_win7.inf_amd64_neutral_ffa78ae84c13ca8c\vbaudio_cable64_win7.cat
Filesize
8KB

MD5
ccc4faa1dc627221bd57272444b4e71f

SHA1
43b6375973b67be4b269ca3a978458a0b6e31df5

SHA256
800b541f06bba3925ba058e7cc7ca837cfd4d845e073309eb2a9d36a2626403a

SHA512
754e9c25c330cf314775e93295975c1ea293e1849adc180a2d17f321d7b1f10e4d24a4001f39c962076fdfc022b1f916aa82bc8dcca85f381f4fc714f479f08e

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vbmmecable64_win7.inf_amd64_neutral_ffa78ae84c13ca8c\vbmmecable64_win7.PNF
Filesize
12KB

MD5
9439c0f446c4aa67a26d0a92721eb3bf

SHA1
e572df67e71199fc3a02870cee5cc801732769df

SHA256
f2ebc8a12a2313f893e590f22a6dac1bffade74ff018dc07f8481b4986c4a7ad

SHA512
0fe75ed5d913566b0904f39d0b0bbf954acbe3b642ddd802bb09c61e9cc513a8c84614f8e0c9bbbce265e72bf99410367e6abff385118d40dc19ae1811ee717a

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vbmmecable64_win7.inf_amd64_neutral_ffa78ae84c13ca8c\vbmmecable64_win7.inf
Filesize
4KB

MD5
498faee2de63c1c428900920203fdf9b

SHA1
221fc3eeff0de46d01e8a4ce0561ecbfd6b6e1a0

SHA256
da35387ccfe813f5c553bb7e0caf4e67adbb4429e742c2bd3c2014f80e6ec516

SHA512
8dec1aae8137aeb1d5fd9633eaca3da6841dcca3aac927a6ee4278f846fefbedd93d0313520c1810bd50dd4ceb6276e2d724ecf4473b3e459fece659dc0bb95d

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
Filesize
1.4MB

MD5
da4d0d66965e97ac52a8d016fd3dd33d

SHA1
9260e4ffe4174f31356c46fe4bbb976a05fea2ad

SHA256
fc6490a267af932fd23489ba5b49e02fea5f1028940e8564457800c0ec5354bc

SHA512
548fa9151947c19d0bcd3aac885ddd73e636c95bd0e1c358ec6db225a8d5d6cdc05aedbb70efddeb9f2a9715ce8784a2cfe23010d744f33a731400ae0292093c

Download Submit
C:\Windows\Temp\{A7239E96-FB33-4573-9F2D-D23D61F226CB}\.cr\vc2019.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{A7239E96-FB33-4573-9F2D-D23D61F226CB}\.cr\vc2019.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
Filesize
5.4MB

MD5
6ce5097b19cf57527651840bb438adf3

SHA1
49d0b725e5819a076562fd007490eca0bbb69003

SHA256
f24a3bc5df7e7c07c0d13f46348c989eae7f597f428b20cc9044bba47785b7f0

SHA512
9152301c4f87018d166b624d73919fc2da7e7ef74b2c1ecf8ad01c31c2b2239013cc3bc22237c81940ae96a5fd1b3698d260c3d3e0a9d0318cdc053e28328d83

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\cab5046A8AB272BF37297BB7928664C9503
Filesize
879KB

MD5
8e288dd0b5e0468ed8ae01ee566e77e8

SHA1
fbd11237ae3300a2202444d339601d1ac6bbf310

SHA256
c80addc870825e9a1aa9281e105e583973ec2846bbd74f1e97cb60911ba7a2e1

SHA512
facc72bdcdd5de47c0d18ecb5288962b04d9e4924a9a07ee807a3bf0eaa77eac05f086906b680bcf97c3bad5fab0038b47c0e09cd2bbec1d0709eba015bc1c04

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\vcRuntimeAdditional_x64
Filesize
180KB

MD5
e6df9f55e20905f77b136844a3844dd6

SHA1
b7c1fb12bda508a62fdd9ffa9e870cae50605aaa

SHA256
f8745f3523ea73806d591fa4e666e86c30c7e5240a07211a0c11a7633d16c4f0

SHA512
7c71c2b9a7d3d768d1686cb037362efb9e38c50b652bfaeb22cf86c6c47a85962f9893cbf5e2f86880c9c8fc8bc0278edeb47088813e022ef05d7db15efc0713

Download Submit
C:\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\vcRuntimeMinimum_x64
Filesize
180KB

MD5
143a2b9f1c0ebc3421b52e9adcb4db2e

SHA1
06e01b8cc855fd9a31f99b430f8c8745e706c677

SHA256
5d0416e45819d555ad27e5efc1aeeb465cbb8e2937b3221852bea0f7d9c3a954

SHA512
7e17309cdaa856bd1bf17535e0f65db585226262a1c9ffcaadb19eb0822a578ad9036487870b97fc86b7167848f69d495aa51c380ba9890a71f8f9a94061fa05

Download Submit
C:\Windows\WindowsUpdate.log
Filesize
16KB

MD5
2c032d35170b2f03de5bc366dc39e027

SHA1
c2a605e386c1c86b06b43a131b604d193965363d

SHA256
f0e1da0f115c2482a0c0ced1f3c347a36d49201e74fba48ea4ddae659a86e660

SHA512
707715fe7f2d627acffdc8c61122732db48a39e1a8e30095c0c39829d739040593d1606063f6dbc142addb90b3d77b18d7a4d9ef8a8e2d3eedf8e7bf629f073e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\PROGRA~1\voice.ai\tools\vbaudio_cable64_win7.sys
Filesize
40KB

MD5
e7204d7fd7362f0efaa502a4cb91ca1e

SHA1
6ca8b4db6f9887b96dc1a38db85c688bb6b7ac5f

SHA256
c7f3be383c81ab9aa642479f95872e40e19a4cfd72d4c8d7de80abc11b713e21

SHA512
70f5b6356e42c88cb0e4ce65e6d2f4d634b057609ed1423339194d762e5f9a5125cfb87be919d5692f289f2bca9a87b01805d86840ecd4cd9f43ffc06e22d5e7

Download Submit
\??\c:\program files\voice.ai\tools\vbaudio_cable64_win7.cat
Filesize
8KB

MD5
ccc4faa1dc627221bd57272444b4e71f

SHA1
43b6375973b67be4b269ca3a978458a0b6e31df5

SHA256
800b541f06bba3925ba058e7cc7ca837cfd4d845e073309eb2a9d36a2626403a

SHA512
754e9c25c330cf314775e93295975c1ea293e1849adc180a2d17f321d7b1f10e4d24a4001f39c962076fdfc022b1f916aa82bc8dcca85f381f4fc714f479f08e

Download Submit
\Program Files\Voice.ai\VoiceAI-Installer.exe
Filesize
751.1MB

MD5
2e8affe8fb9976cbe61971af5877875d

SHA1
6bd3446cb3a054515ef2d44501c057020d0e2ee9

SHA256
7bc36ee215478a6764e3d9495087ed22c919a4ab975692627e9e21abd8441bda

SHA512
7051ca7b52d219394d0f991900cc9de89f304f1093711b3ef6715e33e3ca991d992baa7945207043f9ade1a066a5731e047a2d7933253df638daa6c12a9378f0

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\VoiceAI.exe
Filesize
1.5MB

MD5
22f048e5ec179cd247784eb7569f2019

SHA1
fa578b5325db948eb2f792a55c269a73319ba773

SHA256
1ac54764c6a7019ed602f2470dda720e6c92e9e09ba4e237bec9d6985d58edbf

SHA512
06a227d74cbe0ea8d2c2f4b80c9d51bcc458df99c9077f1d93b1ddf0790b73b506ed97c3c1d83f56900b49e2780258bf30045a6b0205fb50b35fcd8226e2449a

Download Submit
\Program Files\Voice.ai\tools\vac.exe
Filesize
901KB

MD5
aad9093bc9182081a386325d9c931f90

SHA1
1d06ad447b60b147c05369e6e761e1aa8ba7a54d

SHA256
186892503330970c8e8d561adf9b71bd15cd93589306ec00fa60009ebf611ee6

SHA512
cd56bf05b32df0314e9f70e5808813c78a0b687e55426d2f333c835412e1631befc84af72fb31d00eff41e180aea021b719f57033f92474063a9629ceca54225

Download Submit
\Program Files\Voice.ai\tools\vc2019.exe
Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7DBA.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7DBA.tmp\nsisdl.dll
Filesize
14KB

MD5
6ab807f51b07da5d1ad43e82ad1fee42

SHA1
886bbf732e5f872642541e8adabfca1b6b264d74

SHA256
074996a2d3d99cb5b10d4c4f1ff92bacd45605c8103cb465091d78bc894f73f9

SHA512
8ccedbc10394e0dd9763c7c25ea025b6fedeb0bd3d3a83c2e8dc45c8a2d30e3f0366513961a98ffc3ee872f31b009a7e179806f41c65528992299816295588b5

Download Submit
\Users\Admin\AppData\Local\Temp\nsv8CE6.tmp\InstallOptions.dll
Filesize
14KB

MD5
6cba8c14f28cadf0d59e20411bfe20ed

SHA1
e27e01120021f12e79aba7204e2c12bbf83a3176

SHA256
66fc075ca0c0881345f7d28c03678b8daca84de06563a8de677481bce89fcab2

SHA512
5df3c645582cd0b5ce41b71140d4f4eb19bfdbb49f96ae33d149437d00c5306d589a21ba129ec0489198b24a685833033bc24d503449b14bd51600e7bfd9cb6e

Download Submit
\Users\Admin\AppData\Local\Temp\nsv8CE6.tmp\System.dll
Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
\Windows\Temp\{4DA5F8C5-2B21-4DC0-957F-CBD00E1C72D1}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{A7239E96-FB33-4573-9F2D-D23D61F226CB}\.cr\vc2019.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{DD0BC1A2-A6D9-4532-904C-31B78EAC6070}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/600-64-0x0000000000000000-mapping.dmp

Download
memory/968-97-0x0000000000000000-mapping.dmp

Download
memory/1076-115-0x0000000000000000-mapping.dmp

Download
memory/1236-68-0x0000000000000000-mapping.dmp

Download
memory/1524-108-0x0000000000000000-mapping.dmp

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download
memory/1788-105-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/1796-110-0x0000000000000000-mapping.dmp

Download
memory/1948-85-0x0000000000000000-mapping.dmp

Download
memory/1964-95-0x0000000074211000-0x0000000074213000-memory.dmp

Filesize
8KB

Download
memory/1964-90-0x0000000000000000-mapping.dmp

Download