c874c0d892d6544a71e4a8a06f11ffe5f591ef704178e515470c3bca2bb8649e

Analysis

max time kernel
1561s
max time network
1571s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.43.4.0.exe
Size

111.3MB
MD5

ae0ab48e2db8dca628f7c386dc168dc2
SHA1

c67fa5810f8ec2795d93a09ef4b285a687853154
SHA256

c874c0d892d6544a71e4a8a06f11ffe5f591ef704178e515470c3bca2bb8649e
SHA512

f9888200aa26ab59be97ae033bc09dca900ba378ba53bd886a627c256da7318f4ee78c998260e63e3ef4bb27753758646fc7f423229617ffaccc7d89d050c337
SSDEEP

3145728:iF3LBVh1tDI/1joYVcGATBmcExG9nMJZhyP/VE9g3:23F1tS1jMG4BZExGZMJQ6E

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2404	netsh.exe
2552	netsh.exe
320	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup_2.43.4.0.tmp

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AD.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\SETB2AE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Voicemod Desktop\NLog.Extensions.Logging.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NLog.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-ECDFE.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-S1721.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\da.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-NM4TP.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\sk.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\RestSharp.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Bcl.AsyncInterfaces.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-KF3FJ.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-Q12BU.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\icudtl.dat	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-PLOI0.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\zh-tw\is-SFU6H.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\CefSharp.BrowserSubprocess.Core.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Sentry.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-6LIKI.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-VUFTR.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\es.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SimpleInjector.Integration.AspNetCore.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-V66GI.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-MQDA5.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-DOHO6.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-EOAB4.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-BOS6G.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-8MEPG.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-FU1MD.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-9Q48C.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-9C3K5.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-RK75D.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-KJSST.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\it\is-AV1MI.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-O4A8Q.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-2HLGI.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-0U5U1.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-0RSHJ.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\chrome_100_percent.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\chrome_200_percent.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\cs.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-I96G1.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-OJTTT.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-V04A8.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\v8_context_snapshot.bin	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\de.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\pt-BR.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.ValueTuple.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-4EPNI.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-R0JH3.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-7NOIA.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.IdentityModel.Logging.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\vulkan-1.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-HBIS9.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-6BRJG.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\is-KV4LU.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.Https.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.IO.Pipelines.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Nest.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-3NQTD.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-U6I14.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ja.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-MA329.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-Q8L5B.tmp	VoicemodSetup_2.43.4.0.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 13 IoCs

pid	Process
2468	VoicemodSetup_2.43.4.0.tmp
2168	curl.exe
1648	SaveDefaultDevices.exe
2396	voicemodcon.exe
2676	AudioEndPointTool.exe
2996	AudioEndPointTool.exe
2860	AudioEndPointTool.exe
2824	voicemodcon.exe
1600	AudioEndPointTool.exe
1696	AudioEndPointTool.exe
2776	AudioEndPointTool.exe
1904	AudioEndPointTool.exe
1040	VoicemodDesktop.exe

Loads dropped DLL 22 IoCs

pid	Process
3040	VoicemodSetup_2.43.4.0.exe
2468	VoicemodSetup_2.43.4.0.tmp
2468	VoicemodSetup_2.43.4.0.tmp
2952	Process not Found
2468	VoicemodSetup_2.43.4.0.tmp
2468	VoicemodSetup_2.43.4.0.tmp
2468	VoicemodSetup_2.43.4.0.tmp
2468	VoicemodSetup_2.43.4.0.tmp
1304	Process not Found
2468	VoicemodSetup_2.43.4.0.tmp
1028	Process not Found
2276	cmd.exe
1876	cmd.exe
1040	VoicemodDesktop.exe
1040	VoicemodDesktop.exe
1040	VoicemodDesktop.exe
1040	VoicemodDesktop.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	1040	WerFault.exe	88

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2824	tasklist.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.43.4.0.tmp

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2468	VoicemodSetup_2.43.4.0.tmp
2468	VoicemodSetup_2.43.4.0.tmp
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2396	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	2824	voicemodcon.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	1692	DrvInst.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeRestorePrivilege	2044	rundll32.exe
Token: SeLoadDriverPrivilege	2824	voicemodcon.exe
Token: SeDebugPrivilege	1040	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	VoicemodSetup_2.43.4.0.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 3040 wrote to memory of 2468	3040	VoicemodSetup_2.43.4.0.exe	28
PID 2468 wrote to memory of 2168	2468	VoicemodSetup_2.43.4.0.tmp	29
PID 2468 wrote to memory of 2168	2468	VoicemodSetup_2.43.4.0.tmp	29
PID 2468 wrote to memory of 2168	2468	VoicemodSetup_2.43.4.0.tmp	29
PID 2468 wrote to memory of 2168	2468	VoicemodSetup_2.43.4.0.tmp	29
PID 2468 wrote to memory of 2968	2468	VoicemodSetup_2.43.4.0.tmp	31
PID 2468 wrote to memory of 2968	2468	VoicemodSetup_2.43.4.0.tmp	31
PID 2468 wrote to memory of 2968	2468	VoicemodSetup_2.43.4.0.tmp	31
PID 2468 wrote to memory of 2968	2468	VoicemodSetup_2.43.4.0.tmp	31
PID 2968 wrote to memory of 2824	2968	cmd.exe	33
PID 2968 wrote to memory of 2824	2968	cmd.exe	33
PID 2968 wrote to memory of 2824	2968	cmd.exe	33
PID 2468 wrote to memory of 1648	2468	VoicemodSetup_2.43.4.0.tmp	38
PID 2468 wrote to memory of 1648	2468	VoicemodSetup_2.43.4.0.tmp	38
PID 2468 wrote to memory of 1648	2468	VoicemodSetup_2.43.4.0.tmp	38
PID 2468 wrote to memory of 1648	2468	VoicemodSetup_2.43.4.0.tmp	38
PID 2468 wrote to memory of 1680	2468	VoicemodSetup_2.43.4.0.tmp	40
PID 2468 wrote to memory of 1680	2468	VoicemodSetup_2.43.4.0.tmp	40
PID 2468 wrote to memory of 1680	2468	VoicemodSetup_2.43.4.0.tmp	40
PID 2468 wrote to memory of 1680	2468	VoicemodSetup_2.43.4.0.tmp	40
PID 1680 wrote to memory of 1732	1680	cmd.exe	42
PID 1680 wrote to memory of 1732	1680	cmd.exe	42
PID 1680 wrote to memory of 1732	1680	cmd.exe	42
PID 1732 wrote to memory of 2388	1732	powershell.exe	43
PID 1732 wrote to memory of 2388	1732	powershell.exe	43
PID 1732 wrote to memory of 2388	1732	powershell.exe	43
PID 2388 wrote to memory of 1592	2388	cmd.exe	45
PID 2388 wrote to memory of 1592	2388	cmd.exe	45
PID 2388 wrote to memory of 1592	2388	cmd.exe	45
PID 1592 wrote to memory of 2592	1592	net.exe	46
PID 1592 wrote to memory of 2592	1592	net.exe	46
PID 1592 wrote to memory of 2592	1592	net.exe	46
PID 2388 wrote to memory of 1964	2388	cmd.exe	47
PID 2388 wrote to memory of 1964	2388	cmd.exe	47
PID 2388 wrote to memory of 1964	2388	cmd.exe	47
PID 1964 wrote to memory of 1196	1964	net.exe	48
PID 1964 wrote to memory of 1196	1964	net.exe	48
PID 1964 wrote to memory of 1196	1964	net.exe	48
PID 2388 wrote to memory of 2276	2388	cmd.exe	49
PID 2388 wrote to memory of 2276	2388	cmd.exe	49
PID 2388 wrote to memory of 2276	2388	cmd.exe	49
PID 2276 wrote to memory of 2396	2276	cmd.exe	50
PID 2276 wrote to memory of 2396	2276	cmd.exe	50
PID 2276 wrote to memory of 2396	2276	cmd.exe	50
PID 2388 wrote to memory of 2616	2388	cmd.exe	51
PID 2388 wrote to memory of 2616	2388	cmd.exe	51
PID 2388 wrote to memory of 2616	2388	cmd.exe	51
PID 2616 wrote to memory of 2660	2616	net.exe	52
PID 2616 wrote to memory of 2660	2616	net.exe	52
PID 2616 wrote to memory of 2660	2616	net.exe	52
PID 2388 wrote to memory of 1876	2388	cmd.exe	54
PID 2388 wrote to memory of 1876	2388	cmd.exe	54
PID 2388 wrote to memory of 1876	2388	cmd.exe	54
PID 1876 wrote to memory of 2676	1876	cmd.exe	55
PID 1876 wrote to memory of 2676	1876	cmd.exe	55
PID 1876 wrote to memory of 2676	1876	cmd.exe	55
PID 2388 wrote to memory of 3004	2388	cmd.exe	56
PID 2388 wrote to memory of 3004	2388	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\is-2LBL0.tmp\VoicemodSetup_2.43.4.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2LBL0.tmp\VoicemodSetup_2.43.4.0.tmp" /SL5="$80124,115903133,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\curl.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=e956bc1e-e1e1-4a80-9462-c2e2022bbe1a -o C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\deviceId.txt
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2824
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:2592
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:1196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        7⤵
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        7⤵
        
        PID:2660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:2676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        6⤵
        
        PID:3004
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:2996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        6⤵
        
        PID:3052
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:2860
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        
        PID:2812
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:2960
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        
        PID:700
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:2716
      - C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        6⤵
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        
        PID:1432
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        7⤵
        
        PID:2136
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{26577fe4-cc63-4de2-aea7-7a0ceee7d60a}" --flow=Capture --role=Communications
        6⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{26577fe4-cc63-4de2-aea7-7a0ceee7d60a}" --flow=Capture --role=Multimedia
        6⤵
        Executes dropped EXE
        
        PID:1696
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{26577fe4-cc63-4de2-aea7-7a0ceee7d60a}" --flow=Capture --role=Console
        6⤵
        Executes dropped EXE
        
        PID:2776
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\disableDrv.bat""
    3⤵
    PID:2920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
      4⤵
      PID:2068
    - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        5⤵
        Executes dropped EXE
        
        PID:1904
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:820
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:320
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:2100
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:2404
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:2252
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:2552
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1040 -s 584876
      4⤵
      Loads dropped DLL
      Program crash
      PID:1592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x330
1⤵
PID:2800

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\mvvad.inf" "9" "699a51a03" "00000000000004AC" "WinSta0\Default" "000000000000029C" "208" "c:\program files\voicemod desktop\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1692
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{16161ae8-9bb4-788e-cd56-e56f0b0df905} Global\{74e9ac7f-6d40-30b7-c779-0c0412b6ae16} C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.inf C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

C:\Windows\system32\DrvInst.exe
DrvInst.exe "3" "201" "ROOT\MEDIA\0000" "" "" "699a51a03" "00000000000004AC" "00000000000005A4" "00000000000005E0"
1⤵
- Drops file in Windows directory
PID:2808

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{19247239-169f-4dcf-b38e-edf4f94e9807} "(null)"
1⤵
PID:1340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5bc
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.dll

Filesize
37KB

MD5
7060cc7bc98ad30d6dae86fa4beee3a2

SHA1
a507ab0eb9c72353587f45d8c50d4c1f52b35add

SHA256
61657e60144a9dcfccb90bcb6e6c9fa691b8341f0faa639e0eaa42c4c435731f

SHA512
d85ae4a6bccecf4676dbf831fa2916d85419d4e0fdaa2eff15c648515ff1a8fb568bd77fbf0f5c45230cb835be94569db08c0c6e4b1873afda24c2beb738ced3

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.dll

Filesize
1.1MB

MD5
8fa3f8f402ec7481c04af9ab8da0c37d

SHA1
700641ff91978c27c3543ef4daf9a6e813f27c66

SHA256
a09d9428d7866828719640c1841ce5877ef829d1c2f48dcf651fbf5cc53a93ed

SHA512
a42696f231b1a91b3b2c14b2867aaac4750b7d009f161d7a3fa8f8b24ab74f548a718cbe298c400d7cbbb0db4bf473fe667ad6ed5da69eb9e2d7fa2a24971055

Download Submit
C:\Program Files\Voicemod Desktop\NLog.dll

Filesize
827KB

MD5
c71e0369481b26fc71eb11186635796e

SHA1
d77558ee49a2c01ff16a7ff08e71cbae32e0c2f1

SHA256
72d594b34415c86942d501e9e134034be23f342db08c6c4cd3344921a169d394

SHA512
9ec195c873680fb9ee7bbd2f1f397126d1b1d38c1630108e7206c3f678b80052207ac25247a254fd27ae93ff71e5b778c27afb423cc9946b91549a328ec4be04

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
11.3MB

MD5
9575a8abe519e9626ca4dd8a54086df9

SHA1
00e887498a422edbf9ef04793431e451c7d8f614

SHA256
91cc15f69098b94a21fc7ce9afe369aa4e6c8014f3c347a8732293af5acc7791

SHA512
d9c89834bed26007ddc465be6bfb9f5e04d02a998a7727568513f16f940149f581be030032cd75ebd22a84c85b0e85af08f6095ccc109e0d972dc0d91dc67340

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
7KB

MD5
2b70a213b9e67127f09948ab814ae417

SHA1
3802f6e7f6be7ea76e529dff37ac38b9ea55d0c7

SHA256
d8c3da764fca4495d0a7903dba58349dda77c50618593ae14884a8ee124ca28e

SHA512
2458bdb39ab5c960cb17318e3708a81654a964a899d41ae9c05f6824fdc2b42b34393f94ea17e0170eebf6da5fb61675563ae00dead8d717c0cbd812b915d928

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
28.3MB

MD5
9890174ee0122c2282b6db2182481039

SHA1
accb5a093c2c052eb68bfd14aa3302571ee0b321

SHA256
b118aa0ba65c85639151b83909159c5c2d371eb2d7900308dbc78421bb5629bb

SHA512
d2370c1f973218a14cac5664342f9926c28b7ae88d462e731b4bf7d4aa8a932e0bf9f47de92f9ae0458716b5e093a209068efc5e4d64ad2821a3d5a5f168cde2

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\disableDrv.bat

Filesize
273B

MD5
ecc70d85c21b6ca0eafdaecbd4b3fade

SHA1
b5750a80b7ebdda7aa4665596d466b0deb448965

SHA256
7fae365b37340c032703c8f5045d05f8c592890932ed74c1343c3e526c24ae00

SHA512
58e26ea44c7e8173caf7aa9fde3822ac68e74f8ae6b27c9dd6f06fbf1fdcef888ebd6d331cb3fad3df7c1974ebcf337b95d06c2c8d468349cb34674ea52d9ce1

Download Submit
C:\Program Files\Voicemod Desktop\driver\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
155B

MD5
40828dd0bcea33a654a95424a47ba6ac

SHA1
1628aa873bcee8535956c58d09c501999a109fbe

SHA256
c26adbc237104e98381973202b8749fa68329be80a10e54f3b6a046b04b35cdf

SHA512
14487658a8376a96460e2fe669f91716d7ed604b9b02df44cbe8212869ad368f31f33fc50617c0650f64893faf033af2ad209849083177ba5469c87e6ce27236

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat

Filesize
1KB

MD5
0f7177b97fdb5588f4f4ce93cba508fb

SHA1
e26497ce0f32c52e7e8eee534c1e94441ad6ee5e

SHA256
a3371fb86a3a865d51740c41791559c864072f2a4d146773cf06e8e159e18c88

SHA512
95e1d07cb7360d83cabff69cb7bbd670602e3077fb313fd1aeb10b025bc27d0b92aa848b34d5cf63defea030634d26e81838e9b1f5cb8f7007e12f2fffbeb59f

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
a6261c36b1eb262f18c98e520966c329

SHA1
be1f1a0bdcc2f26bc41599b257f2b4c95a1a87a1

SHA256
d0cdbdb5be2be15f77861b6e08aa553d9e8580c224ef0f63e55064f415fc16f0

SHA512
06da998b9778148e15065b67ea6ffadd6df7babf6b1b435368e6c7b6e91d3506d3c3498140cd8b950e207d97c78a899e567b4fbf462d07f7ad473a878ea45fec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
C:\Program Files\Voicemod Desktop\unins000.exe

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAEE7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF48.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2LBL0.tmp\VoicemodSetup_2.43.4.0.tmp

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2LBL0.tmp\VoicemodSetup_2.43.4.0.tmp

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
2KB

MD5
46293b661d78fa7827341434be4ee1a3

SHA1
3fef7f8bf4ff830c4c07cbb332e243253ac1513b

SHA256
d6380a0d10c70871293803e8d5be090b46b7e514a1f73c391fdc78c2c7252217

SHA512
64a467a734da0a48b3b03c023582e9b35b1a4c1588c8afec4abda8a20868ab93cac1f86197de7683cecab989be0738eeaa75c74474eeb8906086e63983317e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A2B6~1\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\SETB211.tmp

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7a2b6065-f5a4-6fe4-9f8d-d17d5bf0d234}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Windows\System32\DriverStore\Temp\{77be55df-f605-149d-aa64-a3152df4b556}\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Windows\Temp\CabB2FC.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB30F.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\c:\PROGRA~1\VOICEM~1\driver\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
\??\c:\program files\voicemod desktop\driver\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
\Users\Admin\AppData\Local\Temp\is-2LBL0.tmp\VoicemodSetup_2.43.4.0.tmp

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-RGE96.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/1040-1180-0x000000001F380000-0x000000001F53E000-memory.dmp

Filesize
1.7MB

Download
memory/1040-1176-0x000000001E1C0000-0x000000001E2D4000-memory.dmp

Filesize
1.1MB

Download
memory/1040-1142-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1040-1140-0x000000001B3B0000-0x000000001B484000-memory.dmp

Filesize
848KB

Download
memory/1040-1184-0x000000001FC80000-0x0000000020C80000-memory.dmp

Filesize
16.0MB

Download
memory/1040-1138-0x000000001CE10000-0x000000001CE90000-memory.dmp

Filesize
512KB

Download
memory/1040-1137-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-1190-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-1191-0x000000001CE10000-0x000000001CE90000-memory.dmp

Filesize
512KB

Download
memory/1040-1108-0x000000013F6C0000-0x000000013FDD2000-memory.dmp

Filesize
7.1MB

Download
memory/1040-1192-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-656-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1732-676-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-654-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1732-684-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-1092-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-685-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-657-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-655-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-675-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-674-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-658-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-660-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1732-659-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2044-942-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2044-946-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2168-76-0x0000000000FD0000-0x0000000001538000-memory.dmp

Filesize
5.4MB

Download
memory/2468-163-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-164-0x0000000003390000-0x000000000339E000-memory.dmp

Filesize
56KB

Download
memory/2468-87-0x0000000003390000-0x000000000339E000-memory.dmp

Filesize
56KB

Download
memory/2468-61-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2468-1135-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-232-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/2468-283-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-624-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-167-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-663-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-165-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/2468-285-0x0000000003390000-0x000000000339E000-memory.dmp

Filesize
56KB

Download
memory/2468-1099-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-69-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2468-70-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2468-161-0x0000000003520000-0x0000000003660000-memory.dmp

Filesize
1.2MB

Download
memory/2468-156-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/2468-151-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/2468-146-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/2468-141-0x0000000001F30000-0x0000000002070000-memory.dmp

Filesize
1.2MB

Download
memory/3040-67-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3040-54-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3040-1136-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download