zgrat | 23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1

Resubmissions

01/11/2023, 15:11

231101-sky1haab5w 7

31/10/2023, 15:15

231031-sndtqsac5x 10

Analysis

max time kernel
288s
max time network
302s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
Size

476KB
MD5

b8162dccc95c2ed40a3fd946dd127242
SHA1

27899142d055dcce7ad3288028c8e3187421275c
SHA256

23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1
SHA512

51eef114974531407df6e04af725855293db7e5bdd2e311af5b14dcbef70de9759ae00fa1c17bb72351697fb8d8cf163a1072e957430d33ca90dffeadf0eefbb
SSDEEP

3072:AkBGWOsTIJgIDU5A/cto68pMABlZQ2wpFD0ravSGKBUGYDxJ0y5t8:A1ssjn5Mp2w7g+VKvSA

Score

10^/10

zgrat discovery persistence rat

Malware Config

Signatures

Detect ZGRat V1 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016ce9-649.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-653.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-654.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-658.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-660.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-661.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-662.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-663.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-665.dat	family_zgrat_v1
behavioral1/files/0x0007000000016ce9-664.dat	family_zgrat_v1
behavioral1/memory/1924-666-0x0000000000D50000-0x0000000001106000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2276	VoiceAI-Installer.exe
2980	vc2019.exe
1672	vc2019.exe
1692	VC_redist.x64.exe
1924	VoiceAI.exe
1416	Process not Found

Loads dropped DLL 25 IoCs

pid	Process
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2276	VoiceAI-Installer.exe
2276	VoiceAI-Installer.exe
2276	VoiceAI-Installer.exe
2980	vc2019.exe
1672	vc2019.exe
1672	vc2019.exe
2664	VC_redist.x64.exe
2276	VoiceAI-Installer.exe
2276	VoiceAI-Installer.exe
2276	VoiceAI-Installer.exe
1416	Process not Found
1416	Process not Found
1416	Process not Found
1924	VoiceAI.exe
1924	VoiceAI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{2aaf1df0-eb13-4099-9992-962bb4e596d1} = "\"C:\\ProgramData\\Package Cache\\{2aaf1df0-eb13-4099-9992-962bb4e596d1}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	1904	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\voiceaidriver.sys	DrvInst.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E19.tmp	DrvInst.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\VoiceAIDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2B.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\voiceaidriver.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E19.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2A.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2A.tmp	DrvInst.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2B.tmp	DrvInst.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Voice.ai\locales\nl.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\libgcrypt.txt	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\gu.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\te.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\tr.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\VoiceAI.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\CefSharp.BrowserSubprocess.Core.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\libsamplerate.txt	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\hostpolicy.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\fr.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\d3dcompiler_47.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libsndfile-1.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\bg.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\cs.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\DriverManager.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\CefSharp.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\cudart64_110.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\libsndfile.txt	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ca.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\snapshot_blob.bin	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\BsSndRpt.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\BugSplatDotNet.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libmp3lame.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\onnxruntime.txt	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\sv.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\VoiceAIDriver\VoiceAIDriver.cat	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\zh-TW.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\AudioPX.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\gcrypt.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\libmp3lame.txt	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\bn.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\hr.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\sr.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ta.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\chrome_100_percent.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\uninstall.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\NAudio.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\chrome_elf.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\es.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ml.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\VoiceAI-Installer.exe	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\installer.log	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
File created	C:\Program Files\Voice.ai\discord_game_sdk.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libGLESv2.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\onnxruntime_providers_shared.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\mr.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ro.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\chrome_200_percent.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\VoiceAI-Installer.exe	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
File opened for modification	C:\Program Files\Voice.ai\DriverManager.dll	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\gcrypt.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libsamplerate-0.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\tools\vc2019.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\el.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\fa.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\VoiceAILib.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\lv.pak	VoiceAI-Installer.exe
File opened for modification	C:\Program Files\Voice.ai\tools\vc2019.exe	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\opensource\devcon.txt	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\ms.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\locales\zh-CN.pak	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\CefSharp.Core.Runtime.dll	VoiceAI-Installer.exe
File created	C:\Program Files\Voice.ai\libEGL.dll	VoiceAI-Installer.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIFBF7.tmp	msiexec.exe
File created	C:\Windows\Installer\f79dc94.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File created	C:\Windows\Installer\f79dc6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79dc6d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	VoiceAI.exe
File opened for modification	C:\Windows\Installer\f79dc6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9C9.tmp	msiexec.exe
File created	C:\Windows\Installer\f79dc81.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f79dc6d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE67D.tmp	msiexec.exe
File created	C:\Windows\Installer\f79dc7d.msi	msiexec.exe
File created	C:\Windows\Installer\f79dc7e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79dc7e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f79dc81.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	VoiceAI.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000001656d-62.dat	nsis_installer_1
behavioral1/files/0x000700000001656d-62.dat	nsis_installer_2
behavioral1/files/0x000700000001656d-65.dat	nsis_installer_1
behavioral1/files/0x000700000001656d-65.dat	nsis_installer_2
behavioral1/files/0x000700000001656d-66.dat	nsis_installer_1
behavioral1/files/0x000700000001656d-66.dat	nsis_installer_2

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\203A181AD6F3DAB4798A4A626A94D987	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\203A181AD6F3DAB4798A4A626A94D987\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{A977984B-9244-49E3-BD24-43F0A8009667}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.31.31103"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle\Dependents\{2aaf1df0-eb13-4099-9992-962bb4e596d1}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{A181A302-3F6D-4BAD-97A8-A426A6499D78}v14.31.31103\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.31.31103"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\shell\open	VoiceAI-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\203A181AD6F3DAB4798A4A626A94D987\VC_Runtime_Minimum	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976\VC_Runtime_Additional	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\B489779A44293E94DB42340F8A006976	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\203A181AD6F3DAB4798A4A626A94D987	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A181A302-3F6D-4BAD-97A8-A426A6499D78}v14.31.31103\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\PackageCode = "E49FE452611FCB64B91833BADDC6195B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Version = "236943743"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\shell\open\command\ = "\"C:\\Program Files\\Voice.ai\\VoiceAI.exe\" \"%1\""	VoiceAI-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A977984B-9244-49E3-BD24-43F0A8009667}v14.31.31103\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.31.31103"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.31.31103"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\PackageCode = "09139770F15A2384695CFEF667B84B3C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\203A181AD6F3DAB4798A4A626A94D987\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{2aaf1df0-eb13-4099-9992-962bb4e596d1}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{2aaf1df0-eb13-4099-9992-962bb4e596d1}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai	VoiceAI-Installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.31.31103"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B489779A44293E94DB42340F8A006976	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voiceai\Url Protocol	VoiceAI-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B489779A44293E94DB42340F8A006976\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{A977984B-9244-49E3-BD24-43F0A8009667}v14.31.31103\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.31,bundle\ = "{2aaf1df0-eb13-4099-9992-962bb4e596d1}"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VoiceAI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoiceAI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoiceAI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VoiceAI.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe
1904	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeRestorePrivilege	1404	DrvInst.exe
Token: SeLoadDriverPrivilege	1404	DrvInst.exe
Token: SeLoadDriverPrivilege	1404	DrvInst.exe
Token: SeLoadDriverPrivilege	1404	DrvInst.exe
Token: SeShutdownPrivilege	1692	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1692	VC_redist.x64.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeSecurityPrivilege	1904	msiexec.exe
Token: SeCreateTokenPrivilege	1692	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1692	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1692	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1692	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1692	VC_redist.x64.exe
Token: SeTcbPrivilege	1692	VC_redist.x64.exe
Token: SeSecurityPrivilege	1692	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1692	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1692	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1692	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1692	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1692	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1692	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1692	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1692	VC_redist.x64.exe
Token: SeBackupPrivilege	1692	VC_redist.x64.exe
Token: SeRestorePrivilege	1692	VC_redist.x64.exe
Token: SeShutdownPrivilege	1692	VC_redist.x64.exe
Token: SeDebugPrivilege	1692	VC_redist.x64.exe
Token: SeAuditPrivilege	1692	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1692	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1692	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1692	VC_redist.x64.exe
Token: SeUndockPrivilege	1692	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1692	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1692	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1692	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1692	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1692	VC_redist.x64.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2444 wrote to memory of 2276	2444	Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe	32
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2276 wrote to memory of 2980	2276	VoiceAI-Installer.exe	34
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 2980 wrote to memory of 1672	2980	vc2019.exe	35
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1672 wrote to memory of 1692	1672	vc2019.exe	36
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1692 wrote to memory of 1380	1692	VC_redist.x64.exe	42
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 1380 wrote to memory of 2664	1380	VC_redist.x64.exe	43
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2664 wrote to memory of 1528	2664	VC_redist.x64.exe	44
PID 2276 wrote to memory of 1924	2276	VoiceAI-Installer.exe	45
PID 2276 wrote to memory of 1924	2276	VoiceAI-Installer.exe	45
PID 2276 wrote to memory of 1924	2276	VoiceAI-Installer.exe	45
PID 2276 wrote to memory of 1924	2276	VoiceAI-Installer.exe	45
PID 2720 wrote to memory of 2316	2720	DrvInst.exe	48
PID 2720 wrote to memory of 2316	2720	DrvInst.exe	48
PID 2720 wrote to memory of 2316	2720	DrvInst.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe
"C:\Users\Admin\AppData\Local\Temp\Voice.ai-Downloader-alphaver-9a8076101605478c95f602b0ba1e61b7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Program Files\Voice.ai\VoiceAI-Installer.exe
  "C:\Program Files\Voice.ai\VoiceAI-Installer.exe" /path "C:\Program Files\Voice.ai"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Program Files\Voice.ai\tools\vc2019.exe
    "C:\Program Files\Voice.ai\tools\vc2019.exe" /q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\Temp\{7F6AD93F-CA5D-46B4-8A24-701F761FED8D}\.cr\vc2019.exe
      "C:\Windows\Temp\{7F6AD93F-CA5D-46B4-8A24-701F761FED8D}\.cr\vc2019.exe" -burn.clean.room="C:\Program Files\Voice.ai\tools\vc2019.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{CD2C9AA5-B32C-479B-B2AD-DE4E1A40E00F} {9346FD1F-05EC-4171-9F0A-199E1A8BF480} 1672
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={2aaf1df0-eb13-4099-9992-962bb4e596d1} -burn.filehandle.self=500 -burn.embedded BurnPipe.{DBA5C06F-5779-426A-8BB2-32932D4D8F82} {42407704-6B2D-4E60-9329-6B62DE5649A0} 1692
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={2aaf1df0-eb13-4099-9992-962bb4e596d1} -burn.filehandle.self=500 -burn.embedded BurnPipe.{DBA5C06F-5779-426A-8BB2-32932D4D8F82} {42407704-6B2D-4E60-9329-6B62DE5649A0} 1692
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{2650846F-5905-4E1A-97CD-24F8FF1C2711} {13140EDA-92F1-4B0C-BAC0-DE88D5F7F289} 2664
        8⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1528
- - C:\Program Files\Voice.ai\VoiceAI.exe
    "C:\Program Files\Voice.ai\VoiceAI.exe" installdriver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies system certificate store
    PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "0000000000000598"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0ef06f42-1099-1103-a9d3-4c68aea96d37}\voiceaidriver.inf" "9" "66b7f3743" "0000000000000534" "WinSta0\Default" "0000000000000598" "208" "c:\program files\voice.ai\voiceaidriver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{2d166f5a-df68-09eb-bbdd-9736f466284f} Global\{45c9acb0-9d94-2201-8117-a122ad58ac10} C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\voiceaidriver.inf C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\VoiceAIDriver.cat
  2⤵
  PID:2316

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000578" "00000000000005E4"
1⤵
PID:1376

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "voiceaidriver.inf:VOICEAIDRIVER.NTamd64:VOICEAIDRIVER_SA:16.36.0.99:root\voiceaidriver" "66b7f3743" "0000000000000534" "0000000000000328" "00000000000005E8"
1⤵
PID:2224

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{43b05ab7-a0e1-490e-892c-ca463c7c9d5e} "(null)"
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f79dc70.rbs

Filesize
17KB

MD5
be5888ff2db290e4e9c6ea9476ff6282

SHA1
dfd78219df79da541ac025720ef9b2531deb9224

SHA256
558284984d9af1ae52f95cb9f4201a61f3f8c7d241c52ca54e5f5fd17616203f

SHA512
179f6d34847b7b99eee8e1513e94a4a2ae71f10c8eb99e5fc47feea3c531eea6c89234929924f0d68599bcffefbb540c5059514f6af105310d0dfd05cd48a4b7

Download Submit
C:\Config.Msi\f79dc7c.rbs

Filesize
16KB

MD5
95b4c92f6adcb92f454a184ca404e93c

SHA1
d5b9e406cbf6261dedc2553aa3e9375e3431aaf9

SHA256
c6908da7094118006a7ff9bc154641a601f4975d502089c670614693fa92af25

SHA512
06639d70771692ef27c653147faa8fb013f380ce99c0a09000f530a91819e1d342ea42b76a916371d0bc1c75913321417db2a16c56a61f34744a2f0dec9ba285

Download Submit
C:\Config.Msi\f79dc84.rbs

Filesize
18KB

MD5
b3a12c9ffe9fccd102007dee3c3145d4

SHA1
70c969d244758d8e81b28d239532b3f3df8f7a40

SHA256
a1111ea08c10e040d605abefeda83da29bd317a5986bfc1ed5efc6089c0b6fb8

SHA512
fd5d3e2f5d74a12ba9121b8f93cbccfda219df2d87d789b2ec13aa42d48b9153a59b67136c44c2ccd1792dcaf519c6095e6cea7a1c7c23abd64c03d684a7741e

Download Submit
C:\Config.Msi\f79dc93.rbs

Filesize
17KB

MD5
f17ddd052a6be79ff02749075213276b

SHA1
b358043945bf47fd2d6a498ebb072e01060d843b

SHA256
f68944396d76aaf8312ce2e61eb89cda06682533938bb82885c3f655df4a63c5

SHA512
49dc4e525a5a74c1d1f225adcd4306d79ce91cc89faa9bc315f05b20517bd4ae50095bcb6016e65b0313f21b6020a42d14424245a0ef4ee651d3640e051e6528

Download Submit
C:\Program Files\Voice.ai\DriverManager.dll

Filesize
82KB

MD5
0ca711f575bca2fae56fd952d9af1276

SHA1
d53d175ddc924431707b8a6e4e4e834094a5fc6e

SHA256
a789ea2806ebb04f8f9fb59c2ee0d407b64e5c33042ca7cd68aeee2fed6b0ea0

SHA512
513de025729d4eb9f9edcbf42b5f5012321ecf1383ce2af0dd6e71b881e72f310d937b59df28cb9e416a79c4294a629da07be68a1c1622f0f1f499c8babbebc1

Download Submit
C:\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
699.3MB

MD5
47b51c4a94239d1ee6de41d85f8bb349

SHA1
0a9019084e063d70feac8ff9c62386f3efe88934

SHA256
060d81f1b0b23a57f4fd349c9cea299e925e708a99b4c7a0d9eb0cbd1877e920

SHA512
93b828ce8b32ac4ef2f96ede862bcfab305192bb5f3b6717a66925631b3a4fc3e3410496dce52925858ac58763479d8ec1d3aedf1bd8aab0b85a154ea0c4757d

Download Submit
C:\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
699.3MB

MD5
47b51c4a94239d1ee6de41d85f8bb349

SHA1
0a9019084e063d70feac8ff9c62386f3efe88934

SHA256
060d81f1b0b23a57f4fd349c9cea299e925e708a99b4c7a0d9eb0cbd1877e920

SHA512
93b828ce8b32ac4ef2f96ede862bcfab305192bb5f3b6717a66925631b3a4fc3e3410496dce52925858ac58763479d8ec1d3aedf1bd8aab0b85a154ea0c4757d

Download Submit
C:\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
C:\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
C:\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
C:\Program Files\Voice.ai\VoiceAIDriver\VoiceAIDriver.inf

Filesize
14KB

MD5
fa4ddfa2231dc2c50e26794ae7356e0b

SHA1
463f4c2ac4f7505f2361c7853505b19fbe08f257

SHA256
a3554efa382a84130393a4d8656b31f06b20b9387e27fcba978162213fb7be90

SHA512
be11de31cdea93320a03892b572b17985a66d8b8483d1568afcba9d6cd73cfc8f86c628736d9c8649cb9af0acba17dc26c14fef55b2951520236f650b5a55946

Download Submit
C:\Program Files\Voice.ai\meta

Filesize
65B

MD5
2f766d5f93e187462dc61513cd4da4d2

SHA1
7cfcbd1fe4168d3d0d9eb32b876deb20435d1e4f

SHA256
539119bb31af3ebc27735a4c6d09905c771a42283dd901b66d77117f7bdf8987

SHA512
1620127e09bbfac04af6cc301a43614198ea757a77108ed46a8e9b4b76ca4083b2590d6bc7a3a4f295267dc8e1b8d32fe15c612f8407959e6778e3a1c241baad

Download Submit
C:\Program Files\Voice.ai\tools\vc2019.exe

Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
C:\Program Files\Voice.ai\tools\vc2019.exe

Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
C:\ProgramData\Package Cache\{2aaf1df0-eb13-4099-9992-962bb4e596d1}\VC_redist.x64.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f35b86dcf6488230867f62f9881b3763

SHA1
42b88b81a2c99fb6b277cc83b1f0b77584d9890e

SHA256
8b51b9c7997922521e8f5f660169f9780c9b6cf1bc7f46f6a8f617aa87477070

SHA512
f18ec179a8eb561bd6267c99a52e4b40ffe21a9c095c5458a9546e2624005c9aa277826944253c975382c56d0e48fe3da90471136b7420f299cb733b06b6e6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
826009b038ab8933511fbfaeb6e297b9

SHA1
f736e2313a90d33102dde2c50df6cc44df064a07

SHA256
7cb3ca81264fb5ce71fe0c98d8825570a53e19c78719aa694ced32851e24644e

SHA512
c11642676fc405f81a303fa5cea11ac8eb2a02a8c140226313893b5b9b8e5aff6030f28a49b7fd375fc26011ac795b94807bbec67792214de4a1d62d3f86efe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72f024b28be3e3f6f49310eb8150bde8

SHA1
886713b2a43b3fbc69ba6730e6762d616ce3b68a

SHA256
ca64df44ca02b9131915eef41839f814f493984b1bd7ed0dfd56f29a4888a244

SHA512
9ef450c950b3590e6853c11f5f4b3d2744fdda0fa9cc618666ff8b25509dd432b8b98910775a58de85430fe7101b5d1974eec42e5e84cc4fecb678325a82e912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e452241b38af710528d120962101135

SHA1
d30d3ab196eadc543bd73f1b22151f6d18fdb198

SHA256
2b295fc25e30d93b05fbe208e3cde7b15dbaea705ed20b6f87fc22fb49abdece

SHA512
f6a6de196c2e210f318d3e762a86a8901ad994eaca655ecb523cd9f5be90ff587054876313b9a6701848d0bbd5ca3e1a20ec71cc7ca94b1cd44df6a5c9c95b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2647e29a97a0dc1c6fb551961b777e35

SHA1
6d5711433f81b927cb5775acac0a5b3486f1bba2

SHA256
15adad06b6cba3b375a4fd66f9b58f1022464e00ddd9484d18a4e1c64adbe3f0

SHA512
89cf1dc8f607c394051991f5b3e74250b58ecd594b95b65723df5cbdead2fb181759a9378c77a268b0aed6d64142dfa6ac28aab40a2ba460c66b96cf4246faeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
2284558f3d287365ba8d3f87b2db047b

SHA1
1c9e767c54b0dcf5e354ece0d09f21648f9a539b

SHA256
e916c730fb5019ce222bd002a7ddfbea1a98c7e49bac3a24c3de4dc53080c0ef

SHA512
a60cef81656a935a11b5e7537b58d73da4f78052f7827fe4fc84be28dc50558cc1ebf86d561485f1adcf3688523de0c47bbb3d86ac30ab50a93e071029dd930c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E4D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC9A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20231031151942_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
f16912826f592fcd08ac00280f96e06b

SHA1
488b4ec0684c54fe1f24eebecf327f3e1c948f51

SHA256
1620725846c541203457c39dbe0530daa48069732fd34ef3af84f021e02521da

SHA512
7f292b20c0bcd1a640c311851183c982bcb7236d5a63151ad6b480a9ccb9026dbe22132dcbb8efcdc85a92b9801b0574f8239e7a1ef959d73e9ee150fd3f81a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20231031151942_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
9cd7d49a80b3d0cb42e55522a31d0a09

SHA1
4b74a19920d71e7776179e28dc8dab5fae2b5710

SHA256
75893c269d6094fee7ba4482f21bf9d1d4d5d89c09a1060892d7c49663ceb563

SHA512
2f248185f05d601d2383e7955edb6cbd283aec41cf1253077626b4eacbaf3d90cb27d1760b665b16fb6641774632c06d7fbd52d90994b2eef4200ee84fd2457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7ABC.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0EF06~1\voiceaidriver.sys

Filesize
71KB

MD5
90e4c7c347839c09c8f7f45de3f4fda1

SHA1
18c5a6fae8c9292702d62e9ad2da1e24336f72c6

SHA256
74c4c2f122d48548019314fe15a331b81bfc10408b0d6f471dee94e37fe3c1bc

SHA512
2cf37738f112026eeb68636423e619be5e34cae7734ab1cab5d8cc799af7509d2ffca09b566cbe46bb47f54981042099e857660acc2ab24558715408c011bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0ef06f42-1099-1103-a9d3-4c68aea96d37}\VoiceAIDriver.cat

Filesize
12KB

MD5
26f1832c761580eab272ae065f644005

SHA1
bdd7eb53423659de315d88ad5bb557ffdf5593a5

SHA256
bae9e5bbff837d0ebb43ca1ff1a275474d8e50832a590a957afc8d3ee1e5f560

SHA512
a0c5c4fa7dcc9d4347a521863b9ba4fd2f5eda4d49f70498c4e89c54b59b7773835796e0cc83470c191e1231c69885d22efe823a3a96b2b971ccd1473e2630eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0ef06f42-1099-1103-a9d3-4c68aea96d37}\voiceaidriver.inf

Filesize
14KB

MD5
fa4ddfa2231dc2c50e26794ae7356e0b

SHA1
463f4c2ac4f7505f2361c7853505b19fbe08f257

SHA256
a3554efa382a84130393a4d8656b31f06b20b9387e27fcba978162213fb7be90

SHA512
be11de31cdea93320a03892b572b17985a66d8b8483d1568afcba9d6cd73cfc8f86c628736d9c8649cb9af0acba17dc26c14fef55b2951520236f650b5a55946

Download Submit
C:\Windows\Installer\f79dc7d.msi

Filesize
180KB

MD5
143a2b9f1c0ebc3421b52e9adcb4db2e

SHA1
06e01b8cc855fd9a31f99b430f8c8745e706c677

SHA256
5d0416e45819d555ad27e5efc1aeeb465cbb8e2937b3221852bea0f7d9c3a954

SHA512
7e17309cdaa856bd1bf17535e0f65db585226262a1c9ffcaadb19eb0822a578ad9036487870b97fc86b7167848f69d495aa51c380ba9890a71f8f9a94061fa05

Download Submit
C:\Windows\System32\DriverStore\FileRepository\voiceaidriver.inf_amd64_neutral_214d6aacf9c41414\VoiceAIDriver.cat

Filesize
12KB

MD5
26f1832c761580eab272ae065f644005

SHA1
bdd7eb53423659de315d88ad5bb557ffdf5593a5

SHA256
bae9e5bbff837d0ebb43ca1ff1a275474d8e50832a590a957afc8d3ee1e5f560

SHA512
a0c5c4fa7dcc9d4347a521863b9ba4fd2f5eda4d49f70498c4e89c54b59b7773835796e0cc83470c191e1231c69885d22efe823a3a96b2b971ccd1473e2630eb

Download Submit
C:\Windows\System32\DriverStore\FileRepository\voiceaidriver.inf_amd64_neutral_214d6aacf9c41414\voiceaidriver.PNF

Filesize
18KB

MD5
9ca168d4836a570c7461f75075bffc07

SHA1
54c8d60470ab1fcdf6e1a84ad13eed63cefff601

SHA256
4ffd52bd60a6112f456a7d8810a6c08bad07f09dcf2dd452c2fa0ff02fe2f45b

SHA512
dc58b7f4c177e37bf1526da616509aec2a9595b237691ab8545fbc505c9f3e98ce412c957939e781254a60aeeab3a2944586475869d20e03bef71dcf722440b0

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
58b1c27e4ef845c91132d3cf8a83a0b3

SHA1
7a80ef6e56539cd19e44cb19a3630e595d3b834d

SHA256
f56eff329688e5a76b8c2a3e0762708750435773623111e47eb3fe5e231ccea2

SHA512
3e50e7cfbc9278f7618d107255e32e0b756bd2fbd06338d7f9d544e86588d743f850dd0687f9831feb356a586f0a2a5137c77c2e50d76b53ac9c8c5016d9dc57

Download Submit
C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E19.tmp

Filesize
12KB

MD5
26f1832c761580eab272ae065f644005

SHA1
bdd7eb53423659de315d88ad5bb557ffdf5593a5

SHA256
bae9e5bbff837d0ebb43ca1ff1a275474d8e50832a590a957afc8d3ee1e5f560

SHA512
a0c5c4fa7dcc9d4347a521863b9ba4fd2f5eda4d49f70498c4e89c54b59b7773835796e0cc83470c191e1231c69885d22efe823a3a96b2b971ccd1473e2630eb

Download Submit
C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2A.tmp

Filesize
14KB

MD5
fa4ddfa2231dc2c50e26794ae7356e0b

SHA1
463f4c2ac4f7505f2361c7853505b19fbe08f257

SHA256
a3554efa382a84130393a4d8656b31f06b20b9387e27fcba978162213fb7be90

SHA512
be11de31cdea93320a03892b572b17985a66d8b8483d1568afcba9d6cd73cfc8f86c628736d9c8649cb9af0acba17dc26c14fef55b2951520236f650b5a55946

Download Submit
C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\SET3E2B.tmp

Filesize
71KB

MD5
90e4c7c347839c09c8f7f45de3f4fda1

SHA1
18c5a6fae8c9292702d62e9ad2da1e24336f72c6

SHA256
74c4c2f122d48548019314fe15a331b81bfc10408b0d6f471dee94e37fe3c1bc

SHA512
2cf37738f112026eeb68636423e619be5e34cae7734ab1cab5d8cc799af7509d2ffca09b566cbe46bb47f54981042099e857660acc2ab24558715408c011bd58

Download Submit
C:\Windows\System32\DriverStore\Temp\{05988e70-3208-6754-0e42-e5111373774f}\voiceaidriver.inf

Filesize
14KB

MD5
fa4ddfa2231dc2c50e26794ae7356e0b

SHA1
463f4c2ac4f7505f2361c7853505b19fbe08f257

SHA256
a3554efa382a84130393a4d8656b31f06b20b9387e27fcba978162213fb7be90

SHA512
be11de31cdea93320a03892b572b17985a66d8b8483d1568afcba9d6cd73cfc8f86c628736d9c8649cb9af0acba17dc26c14fef55b2951520236f650b5a55946

Download Submit
C:\Windows\Temp\{7F6AD93F-CA5D-46B4-8A24-701F761FED8D}\.cr\vc2019.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{7F6AD93F-CA5D-46B4-8A24-701F761FED8D}\.cr\vc2019.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
6ce5097b19cf57527651840bb438adf3

SHA1
49d0b725e5819a076562fd007490eca0bbb69003

SHA256
f24a3bc5df7e7c07c0d13f46348c989eae7f597f428b20cc9044bba47785b7f0

SHA512
9152301c4f87018d166b624d73919fc2da7e7ef74b2c1ecf8ad01c31c2b2239013cc3bc22237c81940ae96a5fd1b3698d260c3d3e0a9d0318cdc053e28328d83

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
879KB

MD5
8e288dd0b5e0468ed8ae01ee566e77e8

SHA1
fbd11237ae3300a2202444d339601d1ac6bbf310

SHA256
c80addc870825e9a1aa9281e105e583973ec2846bbd74f1e97cb60911ba7a2e1

SHA512
facc72bdcdd5de47c0d18ecb5288962b04d9e4924a9a07ee807a3bf0eaa77eac05f086906b680bcf97c3bad5fab0038b47c0e09cd2bbec1d0709eba015bc1c04

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\vcRuntimeAdditional_x64

Filesize
180KB

MD5
e6df9f55e20905f77b136844a3844dd6

SHA1
b7c1fb12bda508a62fdd9ffa9e870cae50605aaa

SHA256
f8745f3523ea73806d591fa4e666e86c30c7e5240a07211a0c11a7633d16c4f0

SHA512
7c71c2b9a7d3d768d1686cb037362efb9e38c50b652bfaeb22cf86c6c47a85962f9893cbf5e2f86880c9c8fc8bc0278edeb47088813e022ef05d7db15efc0713

Download Submit
C:\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\vcRuntimeMinimum_x64

Filesize
180KB

MD5
143a2b9f1c0ebc3421b52e9adcb4db2e

SHA1
06e01b8cc855fd9a31f99b430f8c8745e706c677

SHA256
5d0416e45819d555ad27e5efc1aeeb465cbb8e2937b3221852bea0f7d9c3a954

SHA512
7e17309cdaa856bd1bf17535e0f65db585226262a1c9ffcaadb19eb0822a578ad9036487870b97fc86b7167848f69d495aa51c380ba9890a71f8f9a94061fa05

Download Submit
C:\Windows\Temp\{90830ACD-A747-4B88-B4C0-7F2E573539C3}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
3e789fc9b99c1a95ed81b78eaf7b7a99

SHA1
7374c94308285653aaa3974346b2e3d273b117b0

SHA256
46bc1a18a11a73137175e2ab1f2960c83b2c67ccad0614de7f4a48bd4714783e

SHA512
cee86fedfc690d9a04fb835ddfec24bf574c93579a7c835a1a00b8c3544f5a09bc5e5ec2baf7be5b433253af2b95c6fe09a8b2df10e674198933d74e6f3ee3bc

Download Submit
C:\Windows\system32\VCRUNTIME140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
\??\c:\PROGRA~1\voice.ai\VOICEA~1\voiceaidriver.sys

Filesize
71KB

MD5
90e4c7c347839c09c8f7f45de3f4fda1

SHA1
18c5a6fae8c9292702d62e9ad2da1e24336f72c6

SHA256
74c4c2f122d48548019314fe15a331b81bfc10408b0d6f471dee94e37fe3c1bc

SHA512
2cf37738f112026eeb68636423e619be5e34cae7734ab1cab5d8cc799af7509d2ffca09b566cbe46bb47f54981042099e857660acc2ab24558715408c011bd58

Download Submit
\??\c:\program files\voice.ai\voiceaidriver\VoiceAIDriver.cat

Filesize
12KB

MD5
26f1832c761580eab272ae065f644005

SHA1
bdd7eb53423659de315d88ad5bb557ffdf5593a5

SHA256
bae9e5bbff837d0ebb43ca1ff1a275474d8e50832a590a957afc8d3ee1e5f560

SHA512
a0c5c4fa7dcc9d4347a521863b9ba4fd2f5eda4d49f70498c4e89c54b59b7773835796e0cc83470c191e1231c69885d22efe823a3a96b2b971ccd1473e2630eb

Download Submit
\Program Files\Voice.ai\DriverManager.dll

Filesize
82KB

MD5
0ca711f575bca2fae56fd952d9af1276

SHA1
d53d175ddc924431707b8a6e4e4e834094a5fc6e

SHA256
a789ea2806ebb04f8f9fb59c2ee0d407b64e5c33042ca7cd68aeee2fed6b0ea0

SHA512
513de025729d4eb9f9edcbf42b5f5012321ecf1383ce2af0dd6e71b881e72f310d937b59df28cb9e416a79c4294a629da07be68a1c1622f0f1f499c8babbebc1

Download Submit
\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
699.3MB

MD5
47b51c4a94239d1ee6de41d85f8bb349

SHA1
0a9019084e063d70feac8ff9c62386f3efe88934

SHA256
060d81f1b0b23a57f4fd349c9cea299e925e708a99b4c7a0d9eb0cbd1877e920

SHA512
93b828ce8b32ac4ef2f96ede862bcfab305192bb5f3b6717a66925631b3a4fc3e3410496dce52925858ac58763479d8ec1d3aedf1bd8aab0b85a154ea0c4757d

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\VoiceAI.exe

Filesize
3.7MB

MD5
bc63a61c808ac77a79c939bfb0db6ee0

SHA1
7998e6968f80737ff57762fbc362295877df7483

SHA256
65710751192fa192dd4b0cb8cebb1adf259ca05df9b53ad3578a8316ead0c8f7

SHA512
b58fb887e54abde6ebd772803d33fe4e38252feca875602d4320906b03a1b9b3dfcba4905f235fea93796cd1c5c236ecb60fcf363a364be742020e99cabef8b1

Download Submit
\Program Files\Voice.ai\tools\vc2019.exe

Filesize
24.1MB

MD5
4a85bfd44f09ef46679fafcb1bab627a

SHA1
7741a5cad238ce3e4ca7756058f2a67a57fee9d1

SHA256
37ed59a66699c0e5a7ebeef7352d7c1c2ed5ede7212950a1b0a8ee289af4a95b

SHA512
600e61332416b23ef518f4252df0000c03612e8b0680eab0bdf589d9c855539b973583dc4ce1faab5828f58653ed85a1f9196eb1c7bbf6d2e3b5ab3e83253f98

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F52.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nst7ABC.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nst7ABC.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
\Windows\System32\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
\Windows\Temp\{7F6AD93F-CA5D-46B4-8A24-701F761FED8D}\.cr\vc2019.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{905E71B3-8E23-43BA-8216-22253CD4C89E}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
9bd591625766a7330708b2c6380dc1d7

SHA1
18018a3d12278187a8dc26eae538a799511bbdfc

SHA256
21503f265452414f3960b33ba000ab2cbe0a335901e3a585b0935ac4806fdd79

SHA512
58c90b7889d92f31e76d0559258023cb4693982288721c3c7fcd820e40f6c1ee972d9ffd3c95016c2126314a260da5faabdeb1a8528eb23d469a7ecbe391c1a5

Download Submit
\Windows\Temp\{90830ACD-A747-4B88-B4C0-7F2E573539C3}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/1924-666-0x0000000000D50000-0x0000000001106000-memory.dmp

Filesize
3.7MB

Download
memory/1924-669-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1924-668-0x000000001C340000-0x000000001C3C0000-memory.dmp

Filesize
512KB

Download
memory/1924-778-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-779-0x000000001C340000-0x000000001C3C0000-memory.dmp

Filesize
512KB

Download
memory/1924-823-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-667-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-777-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2316-780-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download