c874c0d892d6544a71e4a8a06f11ffe5f591ef704178e515470c3bca2bb8649e

Analysis

max time kernel
150s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.43.4.0.exe
Size

111.3MB
MD5

ae0ab48e2db8dca628f7c386dc168dc2
SHA1

c67fa5810f8ec2795d93a09ef4b285a687853154
SHA256

c874c0d892d6544a71e4a8a06f11ffe5f591ef704178e515470c3bca2bb8649e
SHA512

f9888200aa26ab59be97ae033bc09dca900ba378ba53bd886a627c256da7318f4ee78c998260e63e3ef4bb27753758646fc7f423229617ffaccc7d89d050c337
SSDEEP

3145728:iF3LBVh1tDI/1joYVcGATBmcExG9nMJZhyP/VE9g3:23F1tS1jMG4BZExGZMJQ6E

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\SET6B33.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SET6B33.tmp	DrvInst.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4092	netsh.exe
1636	netsh.exe
2068	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup_2.43.4.0.tmp

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\mvvad.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67BA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67CA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67A9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67CA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.PNF	voicemodcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67BA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1d008548-527e-9745-9a01-dc5445a50688}\SET67A9.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Voicemod Desktop\is-JKRDC.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\resources.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\uk.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-E4Q50.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\DriverPackageUninstall.exe	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-07VHO.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-Q4QQE.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-H18GR.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-V0KMP.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-L7RS0.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\libcef.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NAudio.Vorbis.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-U5VCM.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-EGIAC.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-2OBTQ.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-6U64I.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Runtime.CompilerServices.Unsafe.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-LSLDH.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\mr.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\pt-BR.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-AQ9P2.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-ETRD1.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\mParticle.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\cs.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\AutoUpdater.NET.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.WebUtilities.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-4M94G.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-93ROD.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\et.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\it\is-CAQDP.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\ja-JP\is-204CQ.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\CefSharp.BrowserSubprocess.Core.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\vulkan-1.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-IBT33.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-UU2N9.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-2G0ID.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Net.WebSockets.WebSocketProtocol.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Interop.WMPLib.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NLog.Extensions.Logging.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Collections.Immutable.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-9091D.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-NAGMD.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-GO8TC.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\bn.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\libGLESv2.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ur.pak	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh-tw\AutoUpdater.NET.resources.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-1JU35.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ru.pak	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-QBLU5.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-Q7I1Q.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Threading.Channels.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SevenZip.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-ITE5R.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-DM0BE.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-8FSEC.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Nest.dll	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Diagnostics.DiagnosticSource.dll	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-RM8OF.tmp	VoicemodSetup_2.43.4.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-697EI.tmp	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe	VoicemodSetup_2.43.4.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\vk_swiftshader.dll	VoicemodSetup_2.43.4.0.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem2.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\c_media.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 16 IoCs

pid	Process
3664	VoicemodSetup_2.43.4.0.tmp
4984	SaveDefaultDevices.exe
3944	voicemodcon.exe
624	AudioEndPointTool.exe
3576	AudioEndPointTool.exe
1096	AudioEndPointTool.exe
3776	voicemodcon.exe
3808	AudioEndPointTool.exe
2200	AudioEndPointTool.exe
2964	AudioEndPointTool.exe
2684	AudioEndPointTool.exe
2692	AudioEndPointTool.exe
4472	VoicemodDesktop.exe
848	VoicemodDesktop.exe
4480	VoicemodDesktop.exe
2348	VoicemodDesktop.exe

Loads dropped DLL 8 IoCs

pid	Process
3664	VoicemodSetup_2.43.4.0.tmp
3664	VoicemodSetup_2.43.4.0.tmp
3664	VoicemodSetup_2.43.4.0.tmp
4472	VoicemodDesktop.exe
4472	VoicemodDesktop.exe
4472	VoicemodDesktop.exe
4472	VoicemodDesktop.exe
4472	VoicemodDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4864	tasklist.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.43.4.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.43.4.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.43.4.0.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoicemodDesktop.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3664	VoicemodSetup_2.43.4.0.tmp
3664	VoicemodSetup_2.43.4.0.tmp
4748	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	tasklist.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeAuditPrivilege	4592	svchost.exe
Token: SeSecurityPrivilege	4592	svchost.exe
Token: SeLoadDriverPrivilege	3776	voicemodcon.exe
Token: SeRestorePrivilege	3872	DrvInst.exe
Token: SeBackupPrivilege	3872	DrvInst.exe
Token: SeRestorePrivilege	3872	DrvInst.exe
Token: SeBackupPrivilege	3872	DrvInst.exe
Token: SeRestorePrivilege	3872	DrvInst.exe
Token: SeBackupPrivilege	3872	DrvInst.exe
Token: SeLoadDriverPrivilege	3872	DrvInst.exe
Token: SeLoadDriverPrivilege	3872	DrvInst.exe
Token: SeLoadDriverPrivilege	3872	DrvInst.exe
Token: SeDebugPrivilege	4472	VoicemodDesktop.exe
Token: SeDebugPrivilege	848	VoicemodDesktop.exe
Token: SeShutdownPrivilege	4472	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	4472	VoicemodDesktop.exe
Token: SeShutdownPrivilege	4472	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	4472	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3664	VoicemodSetup_2.43.4.0.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3664	1500	VoicemodSetup_2.43.4.0.exe	89
PID 1500 wrote to memory of 3664	1500	VoicemodSetup_2.43.4.0.exe	89
PID 1500 wrote to memory of 3664	1500	VoicemodSetup_2.43.4.0.exe	89
PID 3664 wrote to memory of 5108	3664	VoicemodSetup_2.43.4.0.tmp	98
PID 3664 wrote to memory of 5108	3664	VoicemodSetup_2.43.4.0.tmp	98
PID 3664 wrote to memory of 4932	3664	VoicemodSetup_2.43.4.0.tmp	100
PID 3664 wrote to memory of 4932	3664	VoicemodSetup_2.43.4.0.tmp	100
PID 3664 wrote to memory of 3100	3664	VoicemodSetup_2.43.4.0.tmp	102
PID 3664 wrote to memory of 3100	3664	VoicemodSetup_2.43.4.0.tmp	102
PID 3100 wrote to memory of 4864	3100	cmd.exe	104
PID 3100 wrote to memory of 4864	3100	cmd.exe	104
PID 3664 wrote to memory of 3716	3664	VoicemodSetup_2.43.4.0.tmp	107
PID 3664 wrote to memory of 3716	3664	VoicemodSetup_2.43.4.0.tmp	107
PID 3664 wrote to memory of 4360	3664	VoicemodSetup_2.43.4.0.tmp	110
PID 3664 wrote to memory of 4360	3664	VoicemodSetup_2.43.4.0.tmp	110
PID 3664 wrote to memory of 3248	3664	VoicemodSetup_2.43.4.0.tmp	112
PID 3664 wrote to memory of 3248	3664	VoicemodSetup_2.43.4.0.tmp	112
PID 3664 wrote to memory of 1112	3664	VoicemodSetup_2.43.4.0.tmp	114
PID 3664 wrote to memory of 1112	3664	VoicemodSetup_2.43.4.0.tmp	114
PID 3664 wrote to memory of 2044	3664	VoicemodSetup_2.43.4.0.tmp	116
PID 3664 wrote to memory of 2044	3664	VoicemodSetup_2.43.4.0.tmp	116
PID 3664 wrote to memory of 376	3664	VoicemodSetup_2.43.4.0.tmp	118
PID 3664 wrote to memory of 376	3664	VoicemodSetup_2.43.4.0.tmp	118
PID 3664 wrote to memory of 1552	3664	VoicemodSetup_2.43.4.0.tmp	120
PID 3664 wrote to memory of 1552	3664	VoicemodSetup_2.43.4.0.tmp	120
PID 3664 wrote to memory of 3220	3664	VoicemodSetup_2.43.4.0.tmp	122
PID 3664 wrote to memory of 3220	3664	VoicemodSetup_2.43.4.0.tmp	122
PID 3664 wrote to memory of 4984	3664	VoicemodSetup_2.43.4.0.tmp	124
PID 3664 wrote to memory of 4984	3664	VoicemodSetup_2.43.4.0.tmp	124
PID 3664 wrote to memory of 4272	3664	VoicemodSetup_2.43.4.0.tmp	126
PID 3664 wrote to memory of 4272	3664	VoicemodSetup_2.43.4.0.tmp	126
PID 4272 wrote to memory of 4748	4272	cmd.exe	128
PID 4272 wrote to memory of 4748	4272	cmd.exe	128
PID 4748 wrote to memory of 4212	4748	powershell.exe	130
PID 4748 wrote to memory of 4212	4748	powershell.exe	130
PID 4212 wrote to memory of 1076	4212	cmd.exe	132
PID 4212 wrote to memory of 1076	4212	cmd.exe	132
PID 1076 wrote to memory of 4776	1076	net.exe	133
PID 1076 wrote to memory of 4776	1076	net.exe	133
PID 4212 wrote to memory of 4140	4212	cmd.exe	134
PID 4212 wrote to memory of 4140	4212	cmd.exe	134
PID 4140 wrote to memory of 4292	4140	net.exe	135
PID 4140 wrote to memory of 4292	4140	net.exe	135
PID 4212 wrote to memory of 4012	4212	cmd.exe	136
PID 4212 wrote to memory of 4012	4212	cmd.exe	136
PID 4012 wrote to memory of 3944	4012	cmd.exe	137
PID 4012 wrote to memory of 3944	4012	cmd.exe	137
PID 4212 wrote to memory of 1668	4212	cmd.exe	138
PID 4212 wrote to memory of 1668	4212	cmd.exe	138
PID 1668 wrote to memory of 1200	1668	net.exe	139
PID 1668 wrote to memory of 1200	1668	net.exe	139
PID 4212 wrote to memory of 792	4212	cmd.exe	142
PID 4212 wrote to memory of 792	4212	cmd.exe	142
PID 792 wrote to memory of 624	792	cmd.exe	143
PID 792 wrote to memory of 624	792	cmd.exe	143
PID 4212 wrote to memory of 3244	4212	cmd.exe	144
PID 4212 wrote to memory of 3244	4212	cmd.exe	144
PID 3244 wrote to memory of 3576	3244	cmd.exe	145
PID 3244 wrote to memory of 3576	3244	cmd.exe	145
PID 4212 wrote to memory of 4876	4212	cmd.exe	146
PID 4212 wrote to memory of 4876	4212	cmd.exe	146
PID 4876 wrote to memory of 1096	4876	cmd.exe	147
PID 4876 wrote to memory of 1096	4876	cmd.exe	147
PID 4212 wrote to memory of 4532	4212	cmd.exe	148

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\is-9STRR.tmp\VoicemodSetup_2.43.4.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9STRR.tmp\VoicemodSetup_2.43.4.0.tmp" /SL5="$5022A,115903133,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.43.4.0.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=f99eb88b-8818-423d-beb8-51f1b1c0c9e4 -o C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\deviceId.txt
    3⤵
    PID:5108
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4932
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4864
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3716
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4360
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3248
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:1112
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2044
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:376
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:1552
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3220
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:4776
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        7⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:3944
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        7⤵
        
        PID:1200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:3576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:1096
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        
        PID:4532
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:364
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        
        PID:4644
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:4028
      - C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        
        PID:3636
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{97a8e926-92a2-40b8-b9f0-8f79a803ac35}" --flow=Capture --role=Communications
        6⤵
        Executes dropped EXE
        
        PID:3808
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{97a8e926-92a2-40b8-b9f0-8f79a803ac35}" --flow=Capture --role=Multimedia
        6⤵
        Executes dropped EXE
        
        PID:2200
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{97a8e926-92a2-40b8-b9f0-8f79a803ac35}" --flow=Capture --role=Console
        6⤵
        Executes dropped EXE
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\disableDrv.bat""
    3⤵
    PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
      4⤵
      PID:2496
    - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        5⤵
        Executes dropped EXE
        
        PID:2684
  - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
      AudioEndPointTool.exe setvisibility --id="{0.0.1.00000000}.{f4101673-a791-45bc-bb96-b5b49911bd20}" --visible=false
      4⤵
      Executes dropped EXE
      PID:2692
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:3300
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:4092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:4480
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:1636
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:220
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:2068
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:908
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2380
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --no-sandbox --enable-gpu-rasterization --disable-gpu-vsync=0 --log-severity=disable --user-agent-product="VoicemodDesktop 2.43.4.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=102932 --field-trial-handle=15688,i,12790112847949518234,7285027124085286098,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=4472 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:848
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.43.4.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=76332 --field-trial-handle=15688,i,12790112847949518234,7285027124085286098,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=4472 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      PID:4480
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.43.4.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=96604 --field-trial-handle=15688,i,12790112847949518234,7285027124085286098,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=4472 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      PID:2348
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.43.4.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=51456 --field-trial-handle=15688,i,12790112847949518234,7285027124085286098,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=4472 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fcorevoice|25 /prefetch:1
      4⤵
      PID:4260
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.43.4.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=60244 --field-trial-handle=15688,i,12790112847949518234,7285027124085286098,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=4472 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fcorevoice|25 /prefetch:1
      4⤵
      PID:3952
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\"},\"mp_deviceid\": \"df501549-657b-4ddd-b9ab-4b6093c1dc54\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.43.4.0\", \"machine_guid\": \"f99eb88b-8818-423d-beb8-51f1b1c0c9e4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4592
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c3f357e3-0868-3547-aa16-f5783ee0eb5e}\mvvad.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1340
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2022.6.1.0:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start audiosrv
1⤵
PID:4360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\AutoUpdater.NET.dll

Filesize
405KB

MD5
07809155502ca460862d6c3cd554200d

SHA1
a648d3dceaa0dab29bdeb3b08cfcc05b816dd28a

SHA256
4afa1ef0f2df936fe2ff026d73b9630cff0d567cb66e3e09ed94783c0d3a054e

SHA512
6314679bab44ac165e77689ee8265f3687b8e7636a0b0fc688fc1b4581ba376c612e8d117dc50e8ae447a36e161167fa4b7d3365e9b92cc7d80f56a8b57d0e08

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.dll

Filesize
37KB

MD5
7060cc7bc98ad30d6dae86fa4beee3a2

SHA1
a507ab0eb9c72353587f45d8c50d4c1f52b35add

SHA256
61657e60144a9dcfccb90bcb6e6c9fa691b8341f0faa639e0eaa42c4c435731f

SHA512
d85ae4a6bccecf4676dbf831fa2916d85419d4e0fdaa2eff15c648515ff1a8fb568bd77fbf0f5c45230cb835be94569db08c0c6e4b1873afda24c2beb738ced3

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.WinForms.dll

Filesize
52KB

MD5
2c00d80f3feb6ef58f4f9c1c1ff56171

SHA1
965c723459f78903652de8d639a2a84f2763db42

SHA256
458364b192b1c4b6c4bba8b5296df46c39042552106f5f19bf01a565463e63c3

SHA512
0c1882e518b60d415ed202ee11cd780470888f303ace759d7804428a4eb70824f67433b71bdb3d69350aa898eebe0a0152bb32127da751a480366ed273f7a64f

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.dll

Filesize
1.1MB

MD5
8fa3f8f402ec7481c04af9ab8da0c37d

SHA1
700641ff91978c27c3543ef4daf9a6e813f27c66

SHA256
a09d9428d7866828719640c1841ce5877ef829d1c2f48dcf651fbf5cc53a93ed

SHA512
a42696f231b1a91b3b2c14b2867aaac4750b7d009f161d7a3fa8f8b24ab74f548a718cbe298c400d7cbbb0db4bf473fe667ad6ed5da69eb9e2d7fa2a24971055

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
1ee251645b8a54a116d6d06c83a2bd85

SHA1
5dbf1534ffbff016cc45559eb5eff3dc4252a522

SHA256
075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

SHA512
9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
36KB

MD5
bd0cb2bc62a2485e93aa36fa6941c0ce

SHA1
453cfc5d9a9cb9c54ec38fef07d7bb3289484c7e

SHA256
4cbafb5c80b11692638d857c0227429f56cd27dee8fbf85b75cb1a98c8a86f84

SHA512
14c74166cd8f010cc6f0c496931e0ad11b9292e35fd3c899620980432c191ef4e44a44100d675b5d288bc779fe850e0727e161ee718caa60d1fde286bd65a8aa

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.DependencyInjection.dll

Filesize
59KB

MD5
9adb29aa65a7cc5ada2cf5c5e259407b

SHA1
a049318e3ab543354b87ba88058e362a06bba90e

SHA256
772ad7674284c0f62e5c90d0772283b8152ad704e612d5d46088c77d17314d1c

SHA512
930f1f10a781c792742b9663ccaef5dd6a77921c63938274422d072ec9843e71c34fbdc780b950f4f625ee8c85a675900f9f0e866d1daccb5a922c216145a4dd

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Hosting.Abstractions.dll

Filesize
22KB

MD5
f3616191069793a8c40045ed0fcb6309

SHA1
8f4d447f6e5bc442953517dbf5598cd7ccd945a6

SHA256
fc67990fb44d03c9c61323e362aefb749024192963d87cc99eacccf5b468449f

SHA512
3819305d55bcafb33fa867f6888c738b1464519e3915f47773c3044116706c7381f226a72ae62241418b6b1af68fddb5af6a85fcbe49d63b1f6c099b592d72b8

Download Submit
C:\Program Files\Voicemod Desktop\NAudio.Vorbis.dll

Filesize
14KB

MD5
7721decf5f28e1470d40b912b2253779

SHA1
04536a984d29ad5bb1939ab83a1c5eea501f2670

SHA256
ca4cceb6a39d5b511abb897d8bd3c1de6921cf8a284da73be2f7ba79ac377b92

SHA512
2aa81e5a800f804ecbb206cbd2807d4a1987341dd211f8c493b6d5873e7d3d35f4db8c27b4d67631c592861eb3fa05037ea93d02585870e6354054df687af076

Download Submit
C:\Program Files\Voicemod Desktop\NAudio.dll

Filesize
501KB

MD5
047bca47d9d12191811fb2e87cded3aa

SHA1
afdc5d27fb919d1d813e6a07466f889dbc8c6677

SHA256
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

SHA512
99505644d42e4c60c977e4144165ea9dea8f1301e6456aa809e046ecc84a3813a190ce65169a6ffef5a36ad3541ec91002615a02933f8deb642aa3f8f3b11f2f

Download Submit
C:\Program Files\Voicemod Desktop\NLog.dll

Filesize
827KB

MD5
c71e0369481b26fc71eb11186635796e

SHA1
d77558ee49a2c01ff16a7ff08e71cbae32e0c2f1

SHA256
72d594b34415c86942d501e9e134034be23f342db08c6c4cd3344921a169d394

SHA512
9ec195c873680fb9ee7bbd2f1f397126d1b1d38c1630108e7206c3f678b80052207ac25247a254fd27ae93ff71e5b778c27afb423cc9946b91549a328ec4be04

Download Submit
C:\Program Files\Voicemod Desktop\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Program Files\Voicemod Desktop\Sentry.dll

Filesize
445KB

MD5
92faf44b4039491f6b8abe0b217c0121

SHA1
d2faa4e45eb08f2235a5b9ce98b6ce59f9313713

SHA256
cf0c0b8b780d11da59ba4578070511c7a20d45a02235d14f95551a8fbf23cecd

SHA512
2ce6ecd798e9418341035edffa4a260283447e84d6ee759bd56cf985e8ab928ab9bddee984f4a812944772a890c4375fd4a923edbc79d8a6d64f89d68b3e5b84

Download Submit
C:\Program Files\Voicemod Desktop\SimpleInjector.Integration.ServiceCollection.dll

Filesize
28KB

MD5
0fea67334de34e7642b0a68a7f38882a

SHA1
9b8cfee51c4575642af55e639656408c94b76f3f

SHA256
1ea06d8a47c1c9c516509996af6b480b3a46211cc8c2a823b44f655fdf5ecfec

SHA512
34fab98cbbb6886ed56bb6ab49d8adb374f081c152903704ff347c1f47a2fc574d510c1f569d7edc040992668bc956fb1ebe8b6356f8f98de32ca6076942ac0e

Download Submit
C:\Program Files\Voicemod Desktop\SimpleInjector.dll

Filesize
421KB

MD5
038070557b98ff8084c0787273e86f7e

SHA1
03c27b8f3bd2dff6c235dbeb339178c2ef2eea3d

SHA256
2aec4b2b9c23503c2d94f01bc3516ea1a4ff0d2e92f2e190783c8a49fb8158e9

SHA512
808972748e85f1ffa852579209aa0a96060a1fb3965545c4a63b40793f17d0e07f84eb9f9a9e1ccf716e7eeeaf60ac3141e1964945a0b0bf85298ce5daf7797c

Download Submit
C:\Program Files\Voicemod Desktop\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
11.3MB

MD5
9575a8abe519e9626ca4dd8a54086df9

SHA1
00e887498a422edbf9ef04793431e451c7d8f614

SHA256
91cc15f69098b94a21fc7ce9afe369aa4e6c8014f3c347a8732293af5acc7791

SHA512
d9c89834bed26007ddc465be6bfb9f5e04d02a998a7727568513f16f940149f581be030032cd75ebd22a84c85b0e85af08f6095ccc109e0d972dc0d91dc67340

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
11.3MB

MD5
9575a8abe519e9626ca4dd8a54086df9

SHA1
00e887498a422edbf9ef04793431e451c7d8f614

SHA256
91cc15f69098b94a21fc7ce9afe369aa4e6c8014f3c347a8732293af5acc7791

SHA512
d9c89834bed26007ddc465be6bfb9f5e04d02a998a7727568513f16f940149f581be030032cd75ebd22a84c85b0e85af08f6095ccc109e0d972dc0d91dc67340

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.1MB

MD5
865b6f59c6283bb37c4372e95007477b

SHA1
673a746d5960eaa7de484a0a67f3b04e7074fe00

SHA256
054da4573a48a33dc272816ce0aad71c85ce14805d7ef55897e5749694e353a2

SHA512
d572b67f9b26e28a8c00e7099eb08010d2210a2ed50734798feb592ece1dbe475bb3eb0447ab90bc381f7a23ef7bb1851566e137a4741ecc29a13c44a45275ce

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
7KB

MD5
2b70a213b9e67127f09948ab814ae417

SHA1
3802f6e7f6be7ea76e529dff37ac38b9ea55d0c7

SHA256
d8c3da764fca4495d0a7903dba58349dda77c50618593ae14884a8ee124ca28e

SHA512
2458bdb39ab5c960cb17318e3708a81654a964a899d41ae9c05f6824fdc2b42b34393f94ea17e0170eebf6da5fb61675563ae00dead8d717c0cbd812b915d928

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
28.3MB

MD5
9890174ee0122c2282b6db2182481039

SHA1
accb5a093c2c052eb68bfd14aa3302571ee0b321

SHA256
b118aa0ba65c85639151b83909159c5c2d371eb2d7900308dbc78421bb5629bb

SHA512
d2370c1f973218a14cac5664342f9926c28b7ae88d462e731b4bf7d4aa8a932e0bf9f47de92f9ae0458716b5e093a209068efc5e4d64ad2821a3d5a5f168cde2

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
28.3MB

MD5
9890174ee0122c2282b6db2182481039

SHA1
accb5a093c2c052eb68bfd14aa3302571ee0b321

SHA256
b118aa0ba65c85639151b83909159c5c2d371eb2d7900308dbc78421bb5629bb

SHA512
d2370c1f973218a14cac5664342f9926c28b7ae88d462e731b4bf7d4aa8a932e0bf9f47de92f9ae0458716b5e093a209068efc5e4d64ad2821a3d5a5f168cde2

Download Submit
C:\Program Files\Voicemod Desktop\chrome_elf.dll

Filesize
1.4MB

MD5
95e3b5a4324966d073e9feec47f8f9ae

SHA1
1b6fe6ebe1c9efdbb72682d8ecce05aac87bc159

SHA256
11bcca028f843de4a64b7a61031974fe139b4c6b6f8f0b9918d5a7cfdb03b9f3

SHA512
457c21632765534d7ac88eb876f8f802169548e2484dac6f44e88c55116d59867267c3e8ba9cec5e1e507ec97d41aa266a7383d483082d15d315551c114811f0

Download Submit
C:\Program Files\Voicemod Desktop\chrome_elf.dll

Filesize
1.4MB

MD5
95e3b5a4324966d073e9feec47f8f9ae

SHA1
1b6fe6ebe1c9efdbb72682d8ecce05aac87bc159

SHA256
11bcca028f843de4a64b7a61031974fe139b4c6b6f8f0b9918d5a7cfdb03b9f3

SHA512
457c21632765534d7ac88eb876f8f802169548e2484dac6f44e88c55116d59867267c3e8ba9cec5e1e507ec97d41aa266a7383d483082d15d315551c114811f0

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\disableDrv.bat

Filesize
273B

MD5
ecc70d85c21b6ca0eafdaecbd4b3fade

SHA1
b5750a80b7ebdda7aa4665596d466b0deb448965

SHA256
7fae365b37340c032703c8f5045d05f8c592890932ed74c1343c3e526c24ae00

SHA512
58e26ea44c7e8173caf7aa9fde3822ac68e74f8ae6b27c9dd6f06fbf1fdcef888ebd6d331cb3fad3df7c1974ebcf337b95d06c2c8d468349cb34674ea52d9ce1

Download Submit
C:\Program Files\Voicemod Desktop\driver\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
155B

MD5
40828dd0bcea33a654a95424a47ba6ac

SHA1
1628aa873bcee8535956c58d09c501999a109fbe

SHA256
c26adbc237104e98381973202b8749fa68329be80a10e54f3b6a046b04b35cdf

SHA512
14487658a8376a96460e2fe669f91716d7ed604b9b02df44cbe8212869ad368f31f33fc50617c0650f64893faf033af2ad209849083177ba5469c87e6ce27236

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat

Filesize
1KB

MD5
0f7177b97fdb5588f4f4ce93cba508fb

SHA1
e26497ce0f32c52e7e8eee534c1e94441ad6ee5e

SHA256
a3371fb86a3a865d51740c41791559c864072f2a4d146773cf06e8e159e18c88

SHA512
95e1d07cb7360d83cabff69cb7bbd670602e3077fb313fd1aeb10b025bc27d0b92aa848b34d5cf63defea030634d26e81838e9b1f5cb8f7007e12f2fffbeb59f

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
a6261c36b1eb262f18c98e520966c329

SHA1
be1f1a0bdcc2f26bc41599b257f2b4c95a1a87a1

SHA256
d0cdbdb5be2be15f77861b6e08aa553d9e8580c224ef0f63e55064f415fc16f0

SHA512
06da998b9778148e15065b67ea6ffadd6df7babf6b1b435368e6c7b6e91d3506d3c3498140cd8b950e207d97c78a899e567b4fbf462d07f7ad473a878ea45fec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\icudtl.dat

Filesize
10.1MB

MD5
2c367970ac87a9275eeec5629bb6fc3d

SHA1
399324d1aeee5e74747a6873501a1ee5aac005ee

SHA256
17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de

SHA512
f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

Download Submit
C:\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
C:\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ddykd3ej.kwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\deviceId.txt

Filesize
36B

MD5
308851a0c51da56b499545aba1b7db5c

SHA1
f2fa78a7eea984b51184389d4589e32f288a5db0

SHA256
82603884e921b32efd11535653f3930a9a7149e5828d14d2f2a16852e8a1926d

SHA512
ce530ac9b12febc73bdbdf395132a837fbe5ea0bb2d9ea5eb20574e272ce6d61b6bc37489f013903a09af98527bccda4d619e8036fe2d4550679b23fde0294f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8O1EI.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9STRR.tmp\VoicemodSetup_2.43.4.0.tmp

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9STRR.tmp\VoicemodSetup_2.43.4.0.tmp

Filesize
2.4MB

MD5
63888d0c6fd08bf5880d7c3acd1fb141

SHA1
4b4adb14849321da801f6d1fd126185a155988c9

SHA256
3a499c00b2c4d925232b993edb9de39976d4b26b57383b42eb99d196a361c8c4

SHA512
ecdb4449408e44765baf260a381e99bc215a56f7ec50e61629831d1b68c2a7a1951c09b7268434f938058ec79bc2c2f0a58993d6c3e5ddcc3562c9282748392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
7KB

MD5
456f1306610bcfaf3f71aabdb4c3638d

SHA1
f4980debb8ec728662fa453127f2bfcdddf27d3b

SHA256
abcdc694d04dd227ffe5a2f49d8ee72c61b0e4be176b8aff4fba17c4264e36f2

SHA512
7f2c6b75d39496bdc7fb8fd0b89325a90176162ba6b42b2709795a608b747b50baa77b0d230b8da0746c72dd2f7d9efd8d9c1f811a5094dfa85064caa283cad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C3F35~1\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C3F35~1\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c3f357e3-0868-3547-aa16-f5783ee0eb5e}\SET66C0.tmp

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c3f357e3-0868-3547-aa16-f5783ee0eb5e}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c3f357e3-0868-3547-aa16-f5783ee0eb5e}\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c3f357e3-0868-3547-aa16-f5783ee0eb5e}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\INF\oem3.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Windows\System32\DriverStore\FileRepository\MVVAD~1.INF\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
\??\c:\PROGRA~1\VOICEM~1\driver\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
\??\c:\program files\voicemod desktop\driver\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
memory/848-977-0x0000022BBCF90000-0x0000022BBCFA0000-memory.dmp

Filesize
64KB

Download
memory/848-956-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/848-980-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/1500-880-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1500-140-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1500-134-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2348-981-0x0000020273330000-0x0000020273340000-memory.dmp

Filesize
64KB

Download
memory/2348-976-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/3664-227-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-239-0x0000000003780000-0x000000000378E000-memory.dmp

Filesize
56KB

Download
memory/3664-738-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-139-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3664-146-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-147-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3664-610-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-478-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-310-0x0000000003780000-0x000000000378E000-memory.dmp

Filesize
56KB

Download
memory/3664-309-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-308-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-242-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-241-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-163-0x0000000003780000-0x000000000378E000-memory.dmp

Filesize
56KB

Download
memory/3664-238-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-237-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-232-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-879-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-222-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-844-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/3664-217-0x0000000002490000-0x00000000025D0000-memory.dmp

Filesize
1.2MB

Download
memory/3952-1031-0x000002BEEB320000-0x000002BEEB330000-memory.dmp

Filesize
64KB

Download
memory/3952-1002-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4260-982-0x000001ED58610000-0x000001ED58620000-memory.dmp

Filesize
64KB

Download
memory/4260-1029-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4260-975-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4472-938-0x00000231A66B0000-0x00000231A6734000-memory.dmp

Filesize
528KB

Download
memory/4472-853-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4472-921-0x00000231A4B00000-0x00000231A4C00000-memory.dmp

Filesize
1024KB

Download
memory/4472-923-0x00000231A6470000-0x00000231A64DC000-memory.dmp

Filesize
432KB

Download
memory/4472-917-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4472-916-0x00000231A4810000-0x00000231A4818000-memory.dmp

Filesize
32KB

Download
memory/4472-936-0x00000231A6410000-0x00000231A641A000-memory.dmp

Filesize
40KB

Download
memory/4472-913-0x00000231A46E0000-0x00000231A46EA000-memory.dmp

Filesize
40KB

Download
memory/4472-915-0x00000231A4800000-0x00000231A480A000-memory.dmp

Filesize
40KB

Download
memory/4472-911-0x00000231A4B00000-0x00000231A4C00000-memory.dmp

Filesize
1024KB

Download
memory/4472-940-0x00000231A6620000-0x00000231A6632000-memory.dmp

Filesize
72KB

Download
memory/4472-906-0x00000231A5D60000-0x00000231A5E10000-memory.dmp

Filesize
704KB

Download
memory/4472-942-0x00000231A5D50000-0x00000231A5D5E000-memory.dmp

Filesize
56KB

Download
memory/4472-943-0x00000231A6660000-0x00000231A667A000-memory.dmp

Filesize
104KB

Download
memory/4472-945-0x00000231A6400000-0x00000231A640E000-memory.dmp

Filesize
56KB

Download
memory/4472-908-0x00000231A5E10000-0x00000231A5E86000-memory.dmp

Filesize
472KB

Download
memory/4472-910-0x00000231A5E90000-0x00000231A5F00000-memory.dmp

Filesize
448KB

Download
memory/4472-947-0x00000231A6420000-0x00000231A642A000-memory.dmp

Filesize
40KB

Download
memory/4472-896-0x00000231A4820000-0x00000231A4934000-memory.dmp

Filesize
1.1MB

Download
memory/4472-949-0x00000231A6680000-0x00000231A6694000-memory.dmp

Filesize
80KB

Download
memory/4472-885-0x000002318B930000-0x000002318B940000-memory.dmp

Filesize
64KB

Download
memory/4472-882-0x00000231A44E0000-0x00000231A45B4000-memory.dmp

Filesize
848KB

Download
memory/4472-957-0x000002318B9B0000-0x000002318B9C0000-memory.dmp

Filesize
64KB

Download
memory/4472-1042-0x00000231A8D10000-0x00000231A8D18000-memory.dmp

Filesize
32KB

Download
memory/4472-883-0x000002318B9B0000-0x000002318B9C0000-memory.dmp

Filesize
64KB

Download
memory/4472-918-0x000002318B9B0000-0x000002318B9C0000-memory.dmp

Filesize
64KB

Download
memory/4472-852-0x0000023189590000-0x0000023189CA2000-memory.dmp

Filesize
7.1MB

Download
memory/4472-1041-0x00000231A8D60000-0x00000231A8D6A000-memory.dmp

Filesize
40KB

Download
memory/4472-1038-0x00000231A8980000-0x00000231A8990000-memory.dmp

Filesize
64KB

Download
memory/4472-1034-0x00000231A8D80000-0x00000231A8D8C000-memory.dmp

Filesize
48KB

Download
memory/4472-1033-0x00000231A8D30000-0x00000231A8D50000-memory.dmp

Filesize
128KB

Download
memory/4472-996-0x00000231A8920000-0x00000231A893A000-memory.dmp

Filesize
104KB

Download
memory/4472-1032-0x00000231A8910000-0x00000231A891C000-memory.dmp

Filesize
48KB

Download
memory/4472-1001-0x00000231A8E10000-0x00000231A8F02000-memory.dmp

Filesize
968KB

Download
memory/4472-1030-0x00000231A8DD0000-0x00000231A8E04000-memory.dmp

Filesize
208KB

Download
memory/4472-1009-0x00000231A8960000-0x00000231A897E000-memory.dmp

Filesize
120KB

Download
memory/4472-1010-0x00000231A9A70000-0x00000231AA5C4000-memory.dmp

Filesize
11.3MB

Download
memory/4472-1012-0x00000231A9440000-0x00000231A9968000-memory.dmp

Filesize
5.2MB

Download
memory/4480-1011-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4480-983-0x000001FC5FBE0000-0x000001FC5FBF0000-memory.dmp

Filesize
64KB

Download
memory/4480-964-0x00007FFA04480000-0x00007FFA04F41000-memory.dmp

Filesize
10.8MB

Download
memory/4748-736-0x000001E0D8220000-0x000001E0D8230000-memory.dmp

Filesize
64KB

Download
memory/4748-735-0x000001E0D8220000-0x000001E0D8230000-memory.dmp

Filesize
64KB

Download
memory/4748-751-0x000001E0D8220000-0x000001E0D8230000-memory.dmp

Filesize
64KB

Download
memory/4748-734-0x00007FFA04280000-0x00007FFA04D41000-memory.dmp

Filesize
10.8MB

Download
memory/4748-733-0x000001E0D81D0000-0x000001E0D81F2000-memory.dmp

Filesize
136KB

Download
memory/4748-756-0x00007FFA04280000-0x00007FFA04D41000-memory.dmp

Filesize
10.8MB

Download
memory/4748-758-0x000001E0D8220000-0x000001E0D8230000-memory.dmp

Filesize
64KB

Download
memory/4748-838-0x00007FFA04280000-0x00007FFA04D41000-memory.dmp

Filesize
10.8MB

Download