8ed90458d2d38abe6510377a28ccae07ab44bb0d72bdf7dfb7f7400775f2ae17

Analysis

max time kernel
410s
max time network
425s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.46.0.0.exe
Size

113.0MB
MD5

6a1079c0feb201875ab6d12db2c38c35
SHA1

38e546d7acce9b6e8e74abd45b139f79fd13cd4f
SHA256

8ed90458d2d38abe6510377a28ccae07ab44bb0d72bdf7dfb7f7400775f2ae17
SHA512

128d6203c4733473006b1afde324a2346ad7f2fa5151e9f03e14155e9e916ad6cc240abee4c00a186f26a643b69a75e06d25dac7e3d93a850b9a01f6d28d8457
SSDEEP

1572864:mSXyMuz2+zu5uxFbEOSe4TeXiZinscllPAc3Nxmc5X+a1Uyo5GyhloNy1UPhzTno:mSXyMuHQYHSWSmoc3/mc5lUiNy1UZzk

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SET3E04.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET3E04.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
1592	netsh.exe
2588	netsh.exe
5080	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup_2.46.0.0.tmp

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET3682.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET36B2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET36C3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\mvvad.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.PNF	voicemodcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET36B2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET36C3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\SET3682.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ce38159-1c78-a443-b7d2-0003b4795912}\mvvad.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Hosting.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Routing.Abstractions.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Diagnostics.DiagnosticSource.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh-tw\AutoUpdater.NET.resources.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-MKJ8F.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\vi.pak	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Analytics.Xamarin.Standard.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Configuration.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Options.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Sentry.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-AN5EG.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-83F23.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-7GKKJ.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-U4AJM.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ja.pak	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\sk.pak	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\unins000.msg	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Http.Extensions.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Threading.Channels.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-HRPEC.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-FSOJE.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-U2DIP.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-02LQD.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-3B1DN.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-UQPTE.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-SEKIG.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\IO.Ably.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-VPVT4.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-MM56M.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-PCP8J.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-9N299.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-2F1GC.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-IOKCM.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Reflection.Metadata.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Connections.Abstractions.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-E3V83.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-QUI3M.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\libcef.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SimpleInjector.Integration.ServiceCollection.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NVorbis.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-EBLAL.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-7DCKJ.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-MB1SH.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-RS3U7.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.ObjectPool.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SevenZip.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-6OG4F.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-DILKT.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-42RJ1.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\IterableAPI.dll	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Net.WebSockets.WebSocketProtocol.dll	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-NQS15.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-N5VFN.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-P92C3.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-4VMMS.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-U2VU4.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-4KBCE.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\lv.pak	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-6730C.tmp	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-73O2J.tmp	VoicemodSetup_2.46.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ru.pak	VoicemodSetup_2.46.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-KMIGO.tmp	VoicemodSetup_2.46.0.0.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem2.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\c_media.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 20 IoCs

pid	Process
1804	VoicemodSetup_2.46.0.0.tmp
2344	SaveDefaultDevices.exe
2956	voicemodcon.exe
1412	AudioEndPointTool.exe
1132	AudioEndPointTool.exe
3544	AudioEndPointTool.exe
4464	voicemodcon.exe
1728	AudioEndPointTool.exe
2080	AudioEndPointTool.exe
2276	AudioEndPointTool.exe
4416	AudioEndPointTool.exe
3372	AudioEndPointTool.exe
1296	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
3588	VoicemodDesktop.exe
5020	VoicemodDesktop.exe

Loads dropped DLL 64 IoCs

pid	Process
1804	VoicemodSetup_2.46.0.0.tmp
1804	VoicemodSetup_2.46.0.0.tmp
1804	VoicemodSetup_2.46.0.0.tmp
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2080	tasklist.exe
3684	tasklist.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodSetup_2.46.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.46.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.46.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.46.0.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	VoicemodDesktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	VoicemodDesktop.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1804	VoicemodSetup_2.46.0.0.tmp
1804	VoicemodSetup_2.46.0.0.tmp
1244	powershell.exe
1244	powershell.exe
3948	VoicemodDesktop.exe
3948	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
4208	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2756	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2752	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
2136	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
3588	VoicemodDesktop.exe
3588	VoicemodDesktop.exe
5020	VoicemodDesktop.exe
5020	VoicemodDesktop.exe
5020	VoicemodDesktop.exe
5020	VoicemodDesktop.exe
5020	VoicemodDesktop.exe
1296	VoicemodDesktop.exe
1296	VoicemodDesktop.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	tasklist.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeAuditPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeLoadDriverPrivilege	4464	voicemodcon.exe
Token: SeRestorePrivilege	184	DrvInst.exe
Token: SeBackupPrivilege	184	DrvInst.exe
Token: SeRestorePrivilege	184	DrvInst.exe
Token: SeBackupPrivilege	184	DrvInst.exe
Token: SeRestorePrivilege	184	DrvInst.exe
Token: SeBackupPrivilege	184	DrvInst.exe
Token: SeLoadDriverPrivilege	184	DrvInst.exe
Token: SeLoadDriverPrivilege	184	DrvInst.exe
Token: SeLoadDriverPrivilege	184	DrvInst.exe
Token: SeDebugPrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	3948	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	4208	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	2756	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	2752	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	2136	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe
Token: SeDebugPrivilege	3588	VoicemodDesktop.exe
Token: SeShutdownPrivilege	1296	VoicemodDesktop.exe
Token: SeCreatePagefilePrivilege	1296	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1804	VoicemodSetup_2.46.0.0.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1804	1780	VoicemodSetup_2.46.0.0.exe	92
PID 1780 wrote to memory of 1804	1780	VoicemodSetup_2.46.0.0.exe	92
PID 1780 wrote to memory of 1804	1780	VoicemodSetup_2.46.0.0.exe	92
PID 1804 wrote to memory of 3972	1804	VoicemodSetup_2.46.0.0.tmp	108
PID 1804 wrote to memory of 3972	1804	VoicemodSetup_2.46.0.0.tmp	108
PID 1804 wrote to memory of 4224	1804	VoicemodSetup_2.46.0.0.tmp	110
PID 1804 wrote to memory of 4224	1804	VoicemodSetup_2.46.0.0.tmp	110
PID 1804 wrote to memory of 3392	1804	VoicemodSetup_2.46.0.0.tmp	112
PID 1804 wrote to memory of 3392	1804	VoicemodSetup_2.46.0.0.tmp	112
PID 3392 wrote to memory of 2080	3392	cmd.exe	114
PID 3392 wrote to memory of 2080	3392	cmd.exe	114
PID 1804 wrote to memory of 3680	1804	VoicemodSetup_2.46.0.0.tmp	115
PID 1804 wrote to memory of 3680	1804	VoicemodSetup_2.46.0.0.tmp	115
PID 3680 wrote to memory of 3684	3680	cmd.exe	117
PID 3680 wrote to memory of 3684	3680	cmd.exe	117
PID 1804 wrote to memory of 4336	1804	VoicemodSetup_2.46.0.0.tmp	118
PID 1804 wrote to memory of 4336	1804	VoicemodSetup_2.46.0.0.tmp	118
PID 1804 wrote to memory of 4736	1804	VoicemodSetup_2.46.0.0.tmp	120
PID 1804 wrote to memory of 4736	1804	VoicemodSetup_2.46.0.0.tmp	120
PID 1804 wrote to memory of 3080	1804	VoicemodSetup_2.46.0.0.tmp	122
PID 1804 wrote to memory of 3080	1804	VoicemodSetup_2.46.0.0.tmp	122
PID 1804 wrote to memory of 3060	1804	VoicemodSetup_2.46.0.0.tmp	124
PID 1804 wrote to memory of 3060	1804	VoicemodSetup_2.46.0.0.tmp	124
PID 1804 wrote to memory of 3912	1804	VoicemodSetup_2.46.0.0.tmp	126
PID 1804 wrote to memory of 3912	1804	VoicemodSetup_2.46.0.0.tmp	126
PID 1804 wrote to memory of 4364	1804	VoicemodSetup_2.46.0.0.tmp	128
PID 1804 wrote to memory of 4364	1804	VoicemodSetup_2.46.0.0.tmp	128
PID 1804 wrote to memory of 4344	1804	VoicemodSetup_2.46.0.0.tmp	130
PID 1804 wrote to memory of 4344	1804	VoicemodSetup_2.46.0.0.tmp	130
PID 1804 wrote to memory of 2140	1804	VoicemodSetup_2.46.0.0.tmp	131
PID 1804 wrote to memory of 2140	1804	VoicemodSetup_2.46.0.0.tmp	131
PID 1804 wrote to memory of 2344	1804	VoicemodSetup_2.46.0.0.tmp	135
PID 1804 wrote to memory of 2344	1804	VoicemodSetup_2.46.0.0.tmp	135
PID 1804 wrote to memory of 1844	1804	VoicemodSetup_2.46.0.0.tmp	138
PID 1804 wrote to memory of 1844	1804	VoicemodSetup_2.46.0.0.tmp	138
PID 1844 wrote to memory of 1244	1844	cmd.exe	140
PID 1844 wrote to memory of 1244	1844	cmd.exe	140
PID 1244 wrote to memory of 4268	1244	powershell.exe	141
PID 1244 wrote to memory of 4268	1244	powershell.exe	141
PID 4268 wrote to memory of 4752	4268	cmd.exe	143
PID 4268 wrote to memory of 4752	4268	cmd.exe	143
PID 4752 wrote to memory of 3956	4752	net.exe	144
PID 4752 wrote to memory of 3956	4752	net.exe	144
PID 4268 wrote to memory of 2076	4268	cmd.exe	145
PID 4268 wrote to memory of 2076	4268	cmd.exe	145
PID 2076 wrote to memory of 1028	2076	net.exe	146
PID 2076 wrote to memory of 1028	2076	net.exe	146
PID 4268 wrote to memory of 4232	4268	cmd.exe	147
PID 4268 wrote to memory of 4232	4268	cmd.exe	147
PID 4232 wrote to memory of 2956	4232	cmd.exe	148
PID 4232 wrote to memory of 2956	4232	cmd.exe	148
PID 4268 wrote to memory of 4876	4268	cmd.exe	149
PID 4268 wrote to memory of 4876	4268	cmd.exe	149
PID 4876 wrote to memory of 4436	4876	net.exe	150
PID 4876 wrote to memory of 4436	4876	net.exe	150
PID 4268 wrote to memory of 1864	4268	cmd.exe	153
PID 4268 wrote to memory of 1864	4268	cmd.exe	153
PID 1864 wrote to memory of 1412	1864	cmd.exe	154
PID 1864 wrote to memory of 1412	1864	cmd.exe	154
PID 4268 wrote to memory of 2088	4268	cmd.exe	155
PID 4268 wrote to memory of 2088	4268	cmd.exe	155
PID 2088 wrote to memory of 1132	2088	cmd.exe	156
PID 2088 wrote to memory of 1132	2088	cmd.exe	156
PID 4268 wrote to memory of 4592	4268	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\is-007IC.tmp\VoicemodSetup_2.46.0.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-007IC.tmp\VoicemodSetup_2.46.0.0.tmp" /SL5="$30222,117646647,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=6dea0a27-17be-4a6b-a782-20592663cb7b -o C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\deviceId.txt
    3⤵
    PID:3972
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4336
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4736
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3080
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3060
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3912
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4364
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4344
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2140
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:3956
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:1028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        7⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:2956
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        7⤵
        
        PID:4436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:1412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:1132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        6⤵
        
        PID:4592
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        7⤵
        Executes dropped EXE
        
        PID:3544
      - C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        6⤵
        
        PID:4520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        7⤵
        
        PID:2228
      - C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        6⤵
        
        PID:4332
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        7⤵
        
        PID:3620
      - C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
      - C:\Windows\system32\net.exe
        
        net start audiosrv
        6⤵
        
        PID:1872
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        7⤵
        
        PID:3680
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{2b2150ae-b32a-4118-a5ae-f91c1450126c}" --flow=Capture --role=Communications
        6⤵
        Executes dropped EXE
        
        PID:1728
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{2b2150ae-b32a-4118-a5ae-f91c1450126c}" --flow=Capture --role=Multimedia
        6⤵
        Executes dropped EXE
        
        PID:2080
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{2b2150ae-b32a-4118-a5ae-f91c1450126c}" --flow=Capture --role=Console
        6⤵
        Executes dropped EXE
        
        PID:2276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\disableDrv.bat""
    3⤵
    PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
      4⤵
      PID:3520
    - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        5⤵
        Executes dropped EXE
        
        PID:4416
  - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
      AudioEndPointTool.exe setvisibility --id="{0.0.1.00000000}.{d5599ac1-164d-4d91-947c-6aaeb6d2010e}" --visible=false
      4⤵
      Executes dropped EXE
      PID:3372
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:2956
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:5080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:2828
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:1592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    PID:3600
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Modifies Windows Firewall
      PID:2588
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:460
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:212
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --no-sandbox --enable-gpu-rasterization --disable-gpu-vsync=0 --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=53168 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=57648 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4208
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=62436 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=6676 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=102500 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1096 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.46.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=58852 --field-trial-handle=24100,i,13151388254152889772,7785717827726369629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=1296 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://redirect.voicemod.net/?url=https%3a%2f%2faccount.voicemod.net%2f%23%2f%3faction%3dlogin%26ws%3d59129&origin=desktop&u=6dea0a27-17be-4a6b-a782-20592663cb7b&appVersion=2.46.0.0
      4⤵
      PID:3340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c2846f8,0x7ff83c284708,0x7ff83c284718
        5⤵
        
        PID:3672
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"676eb239-be82-450c-b311-3dc5c616ba47\"},\"mp_deviceid\": \"676eb239-be82-450c-b311-3dc5c616ba47\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.46.0.0\", \"machine_guid\": \"6dea0a27-17be-4a6b-a782-20592663cb7b\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3420

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{72a53cc2-1773-5b42-96c9-908965f2b707}\mvvad.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\voicemod desktop\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3368
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2022.6.1.0:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\AutoUpdater.NET.dll

Filesize
405KB

MD5
07809155502ca460862d6c3cd554200d

SHA1
a648d3dceaa0dab29bdeb3b08cfcc05b816dd28a

SHA256
4afa1ef0f2df936fe2ff026d73b9630cff0d567cb66e3e09ed94783c0d3a054e

SHA512
6314679bab44ac165e77689ee8265f3687b8e7636a0b0fc688fc1b4581ba376c612e8d117dc50e8ae447a36e161167fa4b7d3365e9b92cc7d80f56a8b57d0e08

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
ce8ba1fcfe4f1b2a64bafc9f83ad3542

SHA1
eaea967af3c30d56b6eb2730ef7f951ebbc5bbd0

SHA256
0c49e126c6d0a085452ea82bc551f239db2cfe92c05dcb154610f96a716a762a

SHA512
2d882fcd74435e4c0066132e226e12814bbd1077c4f8cafcfd1ad47ecf57897759a76428650f2697a9442a3237a81c438dd5d117e93597c1e3e177ac5503f8a6

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.Core.dll

Filesize
37KB

MD5
7060cc7bc98ad30d6dae86fa4beee3a2

SHA1
a507ab0eb9c72353587f45d8c50d4c1f52b35add

SHA256
61657e60144a9dcfccb90bcb6e6c9fa691b8341f0faa639e0eaa42c4c435731f

SHA512
d85ae4a6bccecf4676dbf831fa2916d85419d4e0fdaa2eff15c648515ff1a8fb568bd77fbf0f5c45230cb835be94569db08c0c6e4b1873afda24c2beb738ced3

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.WinForms.dll

Filesize
52KB

MD5
2c00d80f3feb6ef58f4f9c1c1ff56171

SHA1
965c723459f78903652de8d639a2a84f2763db42

SHA256
458364b192b1c4b6c4bba8b5296df46c39042552106f5f19bf01a565463e63c3

SHA512
0c1882e518b60d415ed202ee11cd780470888f303ace759d7804428a4eb70824f67433b71bdb3d69350aa898eebe0a0152bb32127da751a480366ed273f7a64f

Download Submit
C:\Program Files\Voicemod Desktop\CefSharp.dll

Filesize
1.1MB

MD5
8fa3f8f402ec7481c04af9ab8da0c37d

SHA1
700641ff91978c27c3543ef4daf9a6e813f27c66

SHA256
a09d9428d7866828719640c1841ce5877ef829d1c2f48dcf651fbf5cc53a93ed

SHA512
a42696f231b1a91b3b2c14b2867aaac4750b7d009f161d7a3fa8f8b24ab74f548a718cbe298c400d7cbbb0db4bf473fe667ad6ed5da69eb9e2d7fa2a24971055

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
1ee251645b8a54a116d6d06c83a2bd85

SHA1
5dbf1534ffbff016cc45559eb5eff3dc4252a522

SHA256
075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

SHA512
9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
36KB

MD5
bd0cb2bc62a2485e93aa36fa6941c0ce

SHA1
453cfc5d9a9cb9c54ec38fef07d7bb3289484c7e

SHA256
4cbafb5c80b11692638d857c0227429f56cd27dee8fbf85b75cb1a98c8a86f84

SHA512
14c74166cd8f010cc6f0c496931e0ad11b9292e35fd3c899620980432c191ef4e44a44100d675b5d288bc779fe850e0727e161ee718caa60d1fde286bd65a8aa

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.DependencyInjection.dll

Filesize
59KB

MD5
9adb29aa65a7cc5ada2cf5c5e259407b

SHA1
a049318e3ab543354b87ba88058e362a06bba90e

SHA256
772ad7674284c0f62e5c90d0772283b8152ad704e612d5d46088c77d17314d1c

SHA512
930f1f10a781c792742b9663ccaef5dd6a77921c63938274422d072ec9843e71c34fbdc780b950f4f625ee8c85a675900f9f0e866d1daccb5a922c216145a4dd

Download Submit
C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Hosting.Abstractions.dll

Filesize
22KB

MD5
f3616191069793a8c40045ed0fcb6309

SHA1
8f4d447f6e5bc442953517dbf5598cd7ccd945a6

SHA256
fc67990fb44d03c9c61323e362aefb749024192963d87cc99eacccf5b468449f

SHA512
3819305d55bcafb33fa867f6888c738b1464519e3915f47773c3044116706c7381f226a72ae62241418b6b1af68fddb5af6a85fcbe49d63b1f6c099b592d72b8

Download Submit
C:\Program Files\Voicemod Desktop\NAudio.Vorbis.dll

Filesize
14KB

MD5
7721decf5f28e1470d40b912b2253779

SHA1
04536a984d29ad5bb1939ab83a1c5eea501f2670

SHA256
ca4cceb6a39d5b511abb897d8bd3c1de6921cf8a284da73be2f7ba79ac377b92

SHA512
2aa81e5a800f804ecbb206cbd2807d4a1987341dd211f8c493b6d5873e7d3d35f4db8c27b4d67631c592861eb3fa05037ea93d02585870e6354054df687af076

Download Submit
C:\Program Files\Voicemod Desktop\NAudio.dll

Filesize
501KB

MD5
047bca47d9d12191811fb2e87cded3aa

SHA1
afdc5d27fb919d1d813e6a07466f889dbc8c6677

SHA256
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

SHA512
99505644d42e4c60c977e4144165ea9dea8f1301e6456aa809e046ecc84a3813a190ce65169a6ffef5a36ad3541ec91002615a02933f8deb642aa3f8f3b11f2f

Download Submit
C:\Program Files\Voicemod Desktop\NLog.dll

Filesize
827KB

MD5
c71e0369481b26fc71eb11186635796e

SHA1
d77558ee49a2c01ff16a7ff08e71cbae32e0c2f1

SHA256
72d594b34415c86942d501e9e134034be23f342db08c6c4cd3344921a169d394

SHA512
9ec195c873680fb9ee7bbd2f1f397126d1b1d38c1630108e7206c3f678b80052207ac25247a254fd27ae93ff71e5b778c27afb423cc9946b91549a328ec4be04

Download Submit
C:\Program Files\Voicemod Desktop\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Program Files\Voicemod Desktop\Sentry.dll

Filesize
445KB

MD5
92faf44b4039491f6b8abe0b217c0121

SHA1
d2faa4e45eb08f2235a5b9ce98b6ce59f9313713

SHA256
cf0c0b8b780d11da59ba4578070511c7a20d45a02235d14f95551a8fbf23cecd

SHA512
2ce6ecd798e9418341035edffa4a260283447e84d6ee759bd56cf985e8ab928ab9bddee984f4a812944772a890c4375fd4a923edbc79d8a6d64f89d68b3e5b84

Download Submit
C:\Program Files\Voicemod Desktop\SimpleInjector.Integration.ServiceCollection.dll

Filesize
28KB

MD5
0fea67334de34e7642b0a68a7f38882a

SHA1
9b8cfee51c4575642af55e639656408c94b76f3f

SHA256
1ea06d8a47c1c9c516509996af6b480b3a46211cc8c2a823b44f655fdf5ecfec

SHA512
34fab98cbbb6886ed56bb6ab49d8adb374f081c152903704ff347c1f47a2fc574d510c1f569d7edc040992668bc956fb1ebe8b6356f8f98de32ca6076942ac0e

Download Submit
C:\Program Files\Voicemod Desktop\SimpleInjector.dll

Filesize
421KB

MD5
038070557b98ff8084c0787273e86f7e

SHA1
03c27b8f3bd2dff6c235dbeb339178c2ef2eea3d

SHA256
2aec4b2b9c23503c2d94f01bc3516ea1a4ff0d2e92f2e190783c8a49fb8158e9

SHA512
808972748e85f1ffa852579209aa0a96060a1fb3965545c4a63b40793f17d0e07f84eb9f9a9e1ccf716e7eeeaf60ac3141e1964945a0b0bf85298ce5daf7797c

Download Submit
C:\Program Files\Voicemod Desktop\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
11.9MB

MD5
042781972f92f8285267ee4df3d91681

SHA1
b06ce717947c2229f941db45b0ec7a39c74c5e18

SHA256
f77e19cac738fe7bc5bf236d21ce5944fe1c40ae4ba7884bfb0c06793fc0c07d

SHA512
9a1d3c380a847f07370468945fe367cc38ef842cf40098bbf58a1b12a6083da432710eabb8172586e275c3bb194e8e1ffa2d1e148cb3a9fa1bc162a1d6c00967

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
11.9MB

MD5
042781972f92f8285267ee4df3d91681

SHA1
b06ce717947c2229f941db45b0ec7a39c74c5e18

SHA256
f77e19cac738fe7bc5bf236d21ce5944fe1c40ae4ba7884bfb0c06793fc0c07d

SHA512
9a1d3c380a847f07370468945fe367cc38ef842cf40098bbf58a1b12a6083da432710eabb8172586e275c3bb194e8e1ffa2d1e148cb3a9fa1bc162a1d6c00967

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.2MB

MD5
f8c008e5759bdc5c17c1a9efb59fb22f

SHA1
4f07c56ddc88203a24a1c45a0e5b85cefc29b383

SHA256
4df4f5c414e947787366209e732e9def61247b61ce6b84f49422646738154fea

SHA512
0d96c556415932ac5a7dea5c2c0c4d0811eae9c1d40f2ff2d651ded16568e8860ea8d7a29868698e839bdfa5687a1387aeaa69b5b59fa7bec4b4b92b07e5e804

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.2MB

MD5
f8c008e5759bdc5c17c1a9efb59fb22f

SHA1
4f07c56ddc88203a24a1c45a0e5b85cefc29b383

SHA256
4df4f5c414e947787366209e732e9def61247b61ce6b84f49422646738154fea

SHA512
0d96c556415932ac5a7dea5c2c0c4d0811eae9c1d40f2ff2d651ded16568e8860ea8d7a29868698e839bdfa5687a1387aeaa69b5b59fa7bec4b4b92b07e5e804

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
7.2MB

MD5
f8c008e5759bdc5c17c1a9efb59fb22f

SHA1
4f07c56ddc88203a24a1c45a0e5b85cefc29b383

SHA256
4df4f5c414e947787366209e732e9def61247b61ce6b84f49422646738154fea

SHA512
0d96c556415932ac5a7dea5c2c0c4d0811eae9c1d40f2ff2d651ded16568e8860ea8d7a29868698e839bdfa5687a1387aeaa69b5b59fa7bec4b4b92b07e5e804

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
7KB

MD5
2b70a213b9e67127f09948ab814ae417

SHA1
3802f6e7f6be7ea76e529dff37ac38b9ea55d0c7

SHA256
d8c3da764fca4495d0a7903dba58349dda77c50618593ae14884a8ee124ca28e

SHA512
2458bdb39ab5c960cb17318e3708a81654a964a899d41ae9c05f6824fdc2b42b34393f94ea17e0170eebf6da5fb61675563ae00dead8d717c0cbd812b915d928

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
30.4MB

MD5
7adc3132de42cd848945b8ff6d30db80

SHA1
c462cb6e5d573e5b9e60d6c723e4d7e61c19a388

SHA256
cbd4c228f2ed3098975bbb6a66f96c3f6fdb7b4ffbc691681ebc05a915e8b0f9

SHA512
a5b886081249895a0d8644a1fb80aa294efb6813489067549ee661d15e33e1ab17c48cf34a59303d209e8c4dbb618dd1f7adfefac80bf39a713c720eb8302cae

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
30.4MB

MD5
7adc3132de42cd848945b8ff6d30db80

SHA1
c462cb6e5d573e5b9e60d6c723e4d7e61c19a388

SHA256
cbd4c228f2ed3098975bbb6a66f96c3f6fdb7b4ffbc691681ebc05a915e8b0f9

SHA512
a5b886081249895a0d8644a1fb80aa294efb6813489067549ee661d15e33e1ab17c48cf34a59303d209e8c4dbb618dd1f7adfefac80bf39a713c720eb8302cae

Download Submit
C:\Program Files\Voicemod Desktop\chrome_elf.dll

Filesize
1.4MB

MD5
95e3b5a4324966d073e9feec47f8f9ae

SHA1
1b6fe6ebe1c9efdbb72682d8ecce05aac87bc159

SHA256
11bcca028f843de4a64b7a61031974fe139b4c6b6f8f0b9918d5a7cfdb03b9f3

SHA512
457c21632765534d7ac88eb876f8f802169548e2484dac6f44e88c55116d59867267c3e8ba9cec5e1e507ec97d41aa266a7383d483082d15d315551c114811f0

Download Submit
C:\Program Files\Voicemod Desktop\chrome_elf.dll

Filesize
1.4MB

MD5
95e3b5a4324966d073e9feec47f8f9ae

SHA1
1b6fe6ebe1c9efdbb72682d8ecce05aac87bc159

SHA256
11bcca028f843de4a64b7a61031974fe139b4c6b6f8f0b9918d5a7cfdb03b9f3

SHA512
457c21632765534d7ac88eb876f8f802169548e2484dac6f44e88c55116d59867267c3e8ba9cec5e1e507ec97d41aa266a7383d483082d15d315551c114811f0

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\disableDrv.bat

Filesize
273B

MD5
ecc70d85c21b6ca0eafdaecbd4b3fade

SHA1
b5750a80b7ebdda7aa4665596d466b0deb448965

SHA256
7fae365b37340c032703c8f5045d05f8c592890932ed74c1343c3e526c24ae00

SHA512
58e26ea44c7e8173caf7aa9fde3822ac68e74f8ae6b27c9dd6f06fbf1fdcef888ebd6d331cb3fad3df7c1974ebcf337b95d06c2c8d468349cb34674ea52d9ce1

Download Submit
C:\Program Files\Voicemod Desktop\driver\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
155B

MD5
40828dd0bcea33a654a95424a47ba6ac

SHA1
1628aa873bcee8535956c58d09c501999a109fbe

SHA256
c26adbc237104e98381973202b8749fa68329be80a10e54f3b6a046b04b35cdf

SHA512
14487658a8376a96460e2fe669f91716d7ed604b9b02df44cbe8212869ad368f31f33fc50617c0650f64893faf033af2ad209849083177ba5469c87e6ce27236

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat

Filesize
1KB

MD5
0f7177b97fdb5588f4f4ce93cba508fb

SHA1
e26497ce0f32c52e7e8eee534c1e94441ad6ee5e

SHA256
a3371fb86a3a865d51740c41791559c864072f2a4d146773cf06e8e159e18c88

SHA512
95e1d07cb7360d83cabff69cb7bbd670602e3077fb313fd1aeb10b025bc27d0b92aa848b34d5cf63defea030634d26e81838e9b1f5cb8f7007e12f2fffbeb59f

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
a6261c36b1eb262f18c98e520966c329

SHA1
be1f1a0bdcc2f26bc41599b257f2b4c95a1a87a1

SHA256
d0cdbdb5be2be15f77861b6e08aa553d9e8580c224ef0f63e55064f415fc16f0

SHA512
06da998b9778148e15065b67ea6ffadd6df7babf6b1b435368e6c7b6e91d3506d3c3498140cd8b950e207d97c78a899e567b4fbf462d07f7ad473a878ea45fec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
C:\Program Files\Voicemod Desktop\libcef.dll

Filesize
186.9MB

MD5
6e2fcb606e29952a2c174f52c3d38092

SHA1
d7fa115fb50ad0f071e7c4d5c7da16738eba85d9

SHA256
7067eeea08595630ca99c6b12a889e3f383827a07873ae6d899e09bb65915634

SHA512
ea821711ecc746c17b58fba30a2d15b474f3b34117f4f668869416a3e3e937fa667071252e47a113022f27717e95a2effe1cf4ad14df0e9de5b84a6feb4a6691

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping1296_961808176\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping1296_961808176\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrxjtoh5.1k2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-007IC.tmp\VoicemodSetup_2.46.0.0.tmp

Filesize
2.4MB

MD5
75e45bedca8a288216ae8f77711071c6

SHA1
1efbe104d7434c3b308754323e86ffd045d31612

SHA256
46c5f1b39e16075f744d4f26d42f66d7cb1686e0f4bc1d4a69ebba8b3674ff50

SHA512
a43c0d95df01b3ff2754c1a72f686a6413c29bd234230bed3faa1129b459398408e05d578d764153436fbd10120da69c7621957caf35b214efd281898a57dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-007IC.tmp\VoicemodSetup_2.46.0.0.tmp

Filesize
2.4MB

MD5
75e45bedca8a288216ae8f77711071c6

SHA1
1efbe104d7434c3b308754323e86ffd045d31612

SHA256
46c5f1b39e16075f744d4f26d42f66d7cb1686e0f4bc1d4a69ebba8b3674ff50

SHA512
a43c0d95df01b3ff2754c1a72f686a6413c29bd234230bed3faa1129b459398408e05d578d764153436fbd10120da69c7621957caf35b214efd281898a57dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\deviceId.txt

Filesize
36B

MD5
cf450676663d0af3612b5179ae69a495

SHA1
7da9a0cf3c5787e17aaf2e6e8518fd83655d22a3

SHA256
9f0817f28f4c6704ac7c25b5a79faa8b4ba5f8524a103fd0a3aac896d37f48ad

SHA512
cb070b7411d74509e8d0941b65527afa16f23f68c800e3242f229da3d934ee32ccb0176e1c558d494b97d8503f80393ddee436a11da502ec733fbd643f57f40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M7VI4.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt

Filesize
7KB

MD5
971b9a8fabbaf3e6e455e1ff70372909

SHA1
b57baa6f00bbe278479280a1dbde807df87eb587

SHA256
621d0436859ec378de1f3200b18cdb33e81218a588ff57da6af836694a70cba8

SHA512
0cb5d4165692d405f71b9334504c1b1824678fdd5236ad24615de11131ba0d8ea44825ef65096c784c2ed941fbabe8d52ae9bbdbddcc852a7d374866c754e483

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
7KB

MD5
a8420e0de70efbd9267789cd2530297c

SHA1
46cd60037020dd6d979851ae2323956e30ffd3e3

SHA256
66153ef21b04954a82749f0a9c9da35093de6e0cfe522d41d8e978aefbbcc369

SHA512
b551f4b2a7b93b853693f65091ec42a3e9c84ec95e86ecbcc7ca4bb92250f83f13536ebf3a4d77dab241c764fc847120b392b84130715d4a5d5116873b5207e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72A53~1\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72A53~1\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72a53cc2-1773-5b42-96c9-908965f2b707}\SET35F7.tmp

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72a53cc2-1773-5b42-96c9-908965f2b707}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72a53cc2-1773-5b42-96c9-908965f2b707}\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72a53cc2-1773-5b42-96c9-908965f2b707}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8fb3e51d5965a20b14b4eead9d6e1f15

SHA1
5ec50cf3e88d22f83a7d2cea373d5c7896c9bcab

SHA256
93bc5210192b95d5eae892ce6168b42573aa85e8c581922b8e29b5cc170cc06a

SHA512
b93d83e732ef9467ac1872ef48c3362ac3094851f1292535b8daf12df36d2aa9eb8698f50d67fb4da794cc4ba051c16215c83cb8a53382ba317aef349a7a0c28

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b784413ea3c9ff4fce25d600e08bf6b4

SHA1
8ec41c7bd6dbd5757ffd3b25ee7c00399c81bfe0

SHA256
af5264d4c2495beb16558ad8e82fc0ffa0e625cc39f6f3dae089f36f2b6791aa

SHA512
0bdce0073523e5778ea639327a1e296b2c5f748bba127e97c384e0dbce8fe050a6632307c9b94a9b749f089fac3d64ccefab541b7b4bef127b3b0aa678fffd7b

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json

Filesize
672B

MD5
87ecd93e0c6ad12ec716c4c615f99dd0

SHA1
ea875b3544fdfbe41f0f6a1125cc7f25bf0a54af

SHA256
fb9b3e96cefb5d6225996477d7112c1c52e18c13e71d11a835f93ae98e630eba

SHA512
900873f62f88f0fd7aeced1aebb7549e9972b3bff15db29e512642eafbef3c611b1c39a04efdbeadeed042d2daaed717f80797f00de9774d72a2215e5a1cd73d

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json

Filesize
765B

MD5
4ac263557a1bc73c19b3a99b3ebb73c8

SHA1
0ceee2bc5f844b06e26e4ddd63aea57beebface1

SHA256
8da6ea68c2ab8cb1088dec2ead3ad157941bfc3b2053a0347b614f6ec636e2f1

SHA512
a456b646e885c4c7b6198cef84e3bfdc3503eb1dfbb9c5e1c6c7d4f967129e5293ea960d90b483b096de01971e6a669ab3073b8f471294de6d9843698a47c94e

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json~RFe5d373f.TMP

Filesize
484B

MD5
8ba81958c88bd77fc04366909329f740

SHA1
6a58deb3a63496f327a3f239ca394baa5fdc32a9

SHA256
603e55df81b143f3f4805955bbd049bc7830342572b9245ab0fe28b75ebaabc4

SHA512
4a9e08821d4bc2382fd83b408a0a282949ec60a8ad74d88b543e7fccc710b152d4f00205820df40886366c8a85c939ace8b6d07ae00c2910ac3d0cda994a4105

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Network\Network Persistent State

Filesize
697B

MD5
cd4653f8adc713e9383d925573d33b32

SHA1
fe9d80a8a761b1844669817fbab69b60be9bb67e

SHA256
4b52434b05237f91059bb1b0a6e9ade71bfa25d89c49d85c73fc8e20a9087e2a

SHA512
fe1a8338731350bcebcbd702ffc7f068947c765051386d7e19649ba58d5fea33e87e3b0d3726a189831e815003d58ef6ec10a3e6fd6bacaddd88b09c8e579d78

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Network\Network Persistent State~RFe5d6804.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\INF\oem3.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Windows\System32\DriverStore\FileRepository\MVVAD~1.INF\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
\??\c:\PROGRA~1\VOICEM~1\driver\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
\??\c:\program files\voicemod desktop\driver\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
memory/1244-612-0x000002077F220000-0x000002077F230000-memory.dmp

Filesize
64KB

Download
memory/1244-719-0x00007FF844710000-0x00007FF8451D1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-600-0x000002077F150000-0x000002077F172000-memory.dmp

Filesize
136KB

Download
memory/1244-610-0x00007FF844710000-0x00007FF8451D1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-615-0x000002077F220000-0x000002077F230000-memory.dmp

Filesize
64KB

Download
memory/1244-627-0x00007FF844710000-0x00007FF8451D1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-631-0x000002077F220000-0x000002077F230000-memory.dmp

Filesize
64KB

Download
memory/1244-632-0x000002077F220000-0x000002077F230000-memory.dmp

Filesize
64KB

Download
memory/1244-638-0x000002077F220000-0x000002077F230000-memory.dmp

Filesize
64KB

Download
memory/1296-822-0x00000233B9B50000-0x00000233B9B5A000-memory.dmp

Filesize
40KB

Download
memory/1296-849-0x00000233BA270000-0x00000233BA27E000-memory.dmp

Filesize
56KB

Download
memory/1296-757-0x000002339DC90000-0x000002339E3C0000-memory.dmp

Filesize
7.2MB

Download
memory/1296-806-0x00000233B95F0000-0x00000233B97AE000-memory.dmp

Filesize
1.7MB

Download
memory/1296-758-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/1296-813-0x00000233B9BB0000-0x00000233B9C60000-memory.dmp

Filesize
704KB

Download
memory/1296-856-0x00000233BA500000-0x00000233BA514000-memory.dmp

Filesize
80KB

Download
memory/1296-817-0x00000233B9CE0000-0x00000233B9D50000-memory.dmp

Filesize
448KB

Download
memory/1296-815-0x00000233B9C60000-0x00000233B9CD6000-memory.dmp

Filesize
472KB

Download
memory/1296-802-0x00000233B97E0000-0x00000233B98F4000-memory.dmp

Filesize
1.1MB

Download
memory/1296-892-0x00000233BD1F0000-0x00000233BD20E000-memory.dmp

Filesize
120KB

Download
memory/1296-820-0x00000233B97C0000-0x00000233B97CA000-memory.dmp

Filesize
40KB

Download
memory/1296-893-0x00000233BDE10000-0x00000233BEA02000-memory.dmp

Filesize
11.9MB

Download
memory/1296-818-0x00000233B9A00000-0x00000233B9B00000-memory.dmp

Filesize
1024KB

Download
memory/1296-866-0x00000233B8C50000-0x00000233B8C60000-memory.dmp

Filesize
64KB

Download
memory/1296-787-0x00000233B8C50000-0x00000233B8C60000-memory.dmp

Filesize
64KB

Download
memory/1296-823-0x00000233B9B60000-0x00000233B9B68000-memory.dmp

Filesize
32KB

Download
memory/1296-824-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/1296-789-0x00000233B8C60000-0x00000233B8D34000-memory.dmp

Filesize
848KB

Download
memory/1296-944-0x00000233BD290000-0x00000233BD2C4000-memory.dmp

Filesize
208KB

Download
memory/1296-827-0x00000233B8C50000-0x00000233B8C60000-memory.dmp

Filesize
64KB

Download
memory/1296-829-0x00000233BA2C0000-0x00000233BA32C000-memory.dmp

Filesize
432KB

Download
memory/1296-937-0x00000233BEF40000-0x00000233BF468000-memory.dmp

Filesize
5.2MB

Download
memory/1296-830-0x00000233B9A00000-0x00000233B9B00000-memory.dmp

Filesize
1024KB

Download
memory/1296-845-0x00000233BA530000-0x00000233BA5B4000-memory.dmp

Filesize
528KB

Download
memory/1296-936-0x00000233B8C50000-0x00000233B8C60000-memory.dmp

Filesize
64KB

Download
memory/1296-843-0x00000233BA290000-0x00000233BA29A000-memory.dmp

Filesize
40KB

Download
memory/1296-928-0x00000233B8C50000-0x00000233B8C60000-memory.dmp

Filesize
64KB

Download
memory/1296-854-0x00000233BA4A0000-0x00000233BA4AA000-memory.dmp

Filesize
40KB

Download
memory/1296-922-0x00000233BD440000-0x00000233BD532000-memory.dmp

Filesize
968KB

Download
memory/1296-847-0x00000233BA2A0000-0x00000233BA2B2000-memory.dmp

Filesize
72KB

Download
memory/1296-791-0x000002339E780000-0x000002339E790000-memory.dmp

Filesize
64KB

Download
memory/1296-852-0x00000233BA280000-0x00000233BA28E000-memory.dmp

Filesize
56KB

Download
memory/1296-921-0x00000233BD230000-0x00000233BD24A000-memory.dmp

Filesize
104KB

Download
memory/1296-850-0x00000233BA4C0000-0x00000233BA4DA000-memory.dmp

Filesize
104KB

Download
memory/1780-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1780-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1780-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1780-786-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1804-116-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-100-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-726-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-7-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1804-613-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-9-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-10-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1804-19-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-36-0x0000000003C20000-0x0000000003C2E000-memory.dmp

Filesize
56KB

Download
memory/1804-90-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-95-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-112-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-113-0x0000000003C20000-0x0000000003C2E000-memory.dmp

Filesize
56KB

Download
memory/1804-465-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-358-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-110-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-105-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-114-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-181-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1804-183-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-352-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2136-899-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/2752-934-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/2752-883-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/2756-884-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/2756-888-0x00000245D7030000-0x00000245D7040000-memory.dmp

Filesize
64KB

Download
memory/2756-935-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/3948-863-0x000001C8EF060000-0x000001C8EF070000-memory.dmp

Filesize
64KB

Download
memory/3948-889-0x000001C8EF060000-0x000001C8EF070000-memory.dmp

Filesize
64KB

Download
memory/3948-886-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/3948-858-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/3948-864-0x000001C8EFF00000-0x000001C8F0020000-memory.dmp

Filesize
1.1MB

Download
memory/4208-887-0x000001CD2FAF0000-0x000001CD2FB00000-memory.dmp

Filesize
64KB

Download
memory/4208-898-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download
memory/4208-865-0x00007FF8430D0000-0x00007FF843B91000-memory.dmp

Filesize
10.8MB

Download