a47a6bf261653d93e2ea58aef52439018b39c675c14620afe5b7dbea9367fcec

Analysis

max time kernel
347s
max time network
349s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2024, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

10KB
MD5

b64e908eb94bb89f543b7c8f5ce799ef
SHA1

9ce286f8a365983eb53ded8c6dc6185da5d76212
SHA256

a47a6bf261653d93e2ea58aef52439018b39c675c14620afe5b7dbea9367fcec
SHA512

1d2376f70500ea8ca4bb747c67e8f489255012001985fc2e2b6bf389660a5814363edfbbca9e0c8416a2e4bd23e4dfdc6337d3a620b71d45212407de5bb11099
SSDEEP

192:/zPjL09tR4IIwlPeKGyLIoMwDk+mi8J89VuLmHHDJszjCU3Ts52yWbcdMCWkj0yo:/7jM6LnAfH7mjfSVgVsKlCS

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SET6EEE.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET6EEE.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4680	netsh.exe
2788	netsh.exe
4808	netsh.exe

Executes dropped EXE 20 IoCs

pid	Process
4952	VoicemodSetup_2.48.0.0.exe
1160	VoicemodSetup_2.48.0.0.tmp
1136	avx-checker.exe
4608	avx-checker.exe
3628	avx-checker.exe
4032	SaveDefaultDevices.exe
4504	voicemodcon.exe
4580	AudioEndPointTool.exe
3476	AudioEndPointTool.exe
3628	AudioEndPointTool.exe
4632	voicemodcon.exe
2072	AudioEndPointTool.exe
2308	AudioEndPointTool.exe
4460	AudioEndPointTool.exe
4384	AudioEndPointTool.exe
648	AudioEndPointTool.exe
1880	VoicemodDesktop.exe
2536	VoicemodDesktop.exe
4632	VoicemodDesktop.exe
4828	VoicemodDesktop.exe

Loads dropped DLL 9 IoCs

pid	Process
1160	VoicemodSetup_2.48.0.0.tmp
1160	VoicemodSetup_2.48.0.0.tmp
1160	VoicemodSetup_2.48.0.0.tmp
1880	VoicemodDesktop.exe
1880	VoicemodDesktop.exe
1880	VoicemodDesktop.exe
1880	VoicemodDesktop.exe
1880	VoicemodDesktop.exe
1880	VoicemodDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup_2.48.0.0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D98.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D98.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.PNF	voicemodcon.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D97.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\mvvad.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\SET6D97.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b7d7671-ed88-3145-9c4a-82c7f6bfe1c7}\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Voicemod Desktop\System.Numerics.Vectors.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-0QL2H.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-479OM.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-99FGF.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-84GST.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\libcef.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Net.Http.Headers.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-4RKT8.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-U25NA.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-UNOVP.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-MULIA.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-7T9QR.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\IO.Ably.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\AutoUpdater.NET.resources.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\gu.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\nb.pak	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-9P17A.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-0F9LR.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Hosting.Abstractions.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-LPST9.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\fi.pak	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-MVCB1.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Elasticsearch.Net.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-0V5RI.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-ADBKR.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ko.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Localization.Abstractions.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-5DI02.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-KCCLQ.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-TIPGM.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-TGLIJ.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-SBLJ1.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-L96LT.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\lv.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SimpleInjector.Integration.AspNetCore.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.ComponentModel.Annotations.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-HBFPN.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\44100\is-OQT3P.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\pt-BR.pak	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-JHGC5.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-G0FUF.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-LNR2I.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\ro.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\tr.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Analytics.Xamarin.Standard.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.ObjectPool.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-GVFDB.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-TAGCP.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-A632V.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\JsonSubTypes.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-L4D9S.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-VURCK.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-4KTBR.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-V6RQA.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\es-419.pak	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-L2STN.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.Core.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SevenZip.dll	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\en-US.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\hr.pak	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NAudio.dll	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-7Q3OR.tmp	VoicemodSetup_2.48.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-2MGU3.tmp	VoicemodSetup_2.48.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\cs.pak	VoicemodSetup_2.48.0.0.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\c_media.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem2.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4336	tasklist.exe
1420	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.48.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodSetup_2.48.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3594324687-1993884830-4019639329-1000\{C02C5FF9-7FDF-45FF-B026-2356B71CCEFF}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.48.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.48.0.0.tmp

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 351281.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3664	msedge.exe
3664	msedge.exe
908	msedge.exe
908	msedge.exe
4064	identity_helper.exe
4064	identity_helper.exe
2072	msedge.exe
2072	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
3516	msedge.exe
3516	msedge.exe
1160	VoicemodSetup_2.48.0.0.tmp
1160	VoicemodSetup_2.48.0.0.tmp
124	powershell.exe
124	powershell.exe
124	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeDebugPrivilege	1420	tasklist.exe
Token: SeDebugPrivilege	124	powershell.exe
Token: SeAuditPrivilege	3416	svchost.exe
Token: SeSecurityPrivilege	3416	svchost.exe
Token: SeLoadDriverPrivilege	4632	voicemodcon.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeBackupPrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeBackupPrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeBackupPrivilege	2944	DrvInst.exe
Token: SeLoadDriverPrivilege	2944	DrvInst.exe
Token: SeLoadDriverPrivilege	2944	DrvInst.exe
Token: SeLoadDriverPrivilege	2944	DrvInst.exe
Token: SeDebugPrivilege	1880	VoicemodDesktop.exe
Token: SeDebugPrivilege	2536	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
1160	VoicemodSetup_2.48.0.0.tmp

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 780	3664	msedge.exe	79
PID 3664 wrote to memory of 780	3664	msedge.exe	79
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3984	3664	msedge.exe	80
PID 3664 wrote to memory of 3528	3664	msedge.exe	81
PID 3664 wrote to memory of 3528	3664	msedge.exe	81
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82
PID 3664 wrote to memory of 732	3664	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca89d3cb8,0x7ffca89d3cc8,0x7ffca89d3cd8
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1336 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe
  "C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe"
  2⤵
  - Executes dropped EXE
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\is-OJHHB.tmp\VoicemodSetup_2.48.0.0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-OJHHB.tmp\VoicemodSetup_2.48.0.0.tmp" /SL5="$B013A,116886350,720896,C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1160
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=8399c447-75d4-4b39-9357-837c0d65b7cb -o C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\deviceId.txt
      4⤵
      PID:5004
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:1336
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
      4⤵
      PID:400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
      4⤵
      PID:1844
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:3180
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:3516
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:580
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:2896
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:2940
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:1136
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:4592
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:3628
  - - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
      "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
      4⤵
      Executes dropped EXE
      PID:4032
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
      4⤵
      PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat"
        6⤵
        
        PID:1700
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        7⤵
        
        PID:3336
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        8⤵
        
        PID:1412
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        7⤵
        
        PID:2144
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        8⤵
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        7⤵
        
        PID:2836
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4504
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        7⤵
        
        PID:4308
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        8⤵
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        7⤵
        
        PID:2508
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        8⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        7⤵
        
        PID:2328
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        8⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        7⤵
        
        PID:2304
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        8⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        7⤵
        
        PID:3536
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        8⤵
        
        PID:3560
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        7⤵
        
        PID:2928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        8⤵
        
        PID:2268
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        7⤵
        
        PID:2620
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        8⤵
        
        PID:1808
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{f11677a8-2d34-455e-a922-948fb24c8b53}" --flow=Capture --role=Communications
        7⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{f11677a8-2d34-455e-a922-948fb24c8b53}" --flow=Capture --role=Multimedia
        7⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{f11677a8-2d34-455e-a922-948fb24c8b53}" --flow=Capture --role=Console
        7⤵
        Executes dropped EXE
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\disableDrv.bat""
      4⤵
      PID:4628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        5⤵
        
        PID:3536
      - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        6⤵
        Executes dropped EXE
        
        PID:4384
    - - C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setvisibility --id="{0.0.1.00000000}.{40328e5b-74f7-472c-a7e7-7d9863d7f161}" --visible=false
        5⤵
        Executes dropped EXE
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      PID:2608
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:4680
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      PID:4912
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      PID:1556
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:4808
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:2896
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:432
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1880
    - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --no-sandbox --enable-gpu-rasterization --disable-gpu-vsync=0 --log-severity=disable --user-agent-product="VoicemodDesktop 2.48.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=47616 --field-trial-handle=98608,i,9122995902528138494,6419609213257133028,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=1880 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.48.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=103936 --field-trial-handle=98608,i,9122995902528138494,6419609213257133028,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=1880 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        5⤵
        Executes dropped EXE
        
        PID:4632
    - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.48.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=53384 --field-trial-handle=98608,i,9122995902528138494,6419609213257133028,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=1880 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        5⤵
        Executes dropped EXE
        
        PID:4828
    - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.48.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=10104 --field-trial-handle=98608,i,9122995902528138494,6419609213257133028,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=1880 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
        5⤵
        
        PID:4964
    - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.48.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=34164 --field-trial-handle=98608,i,9122995902528138494,6419609213257133028,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=1880 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
        5⤵
        
        PID:2940
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"8399c447-75d4-4b39-9357-837c0d65b7cb\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
      4⤵
      PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2897877263325287207,1649372876860220708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3416
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{756c5992-9444-4e4f-82c3-f55893ce04a8}\mvvad.inf" "9" "499a51a03" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2022.6.1.0:*vmdriver," "499a51a03" "0000000000000160" "8398"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
6.0MB

MD5
09951011ad4be991fe6bd28fc924a6cc

SHA1
eba98930437408e7cdf49c526ab2a7a8f4655ed4

SHA256
dfc3772ed1ed0f03ac487fe4f7225200a429ef75a3b762755128880ab28b0c0c

SHA512
756d9c91cd9ae34f5428b069e18eaf96ef44066ca1b52e7c8e27025e591fdb321a17af4664ad0d20d5fbbdeacc4b45cbeca842cddf1c0ac9c1fe8971208f7e20

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
3.9MB

MD5
dab4530fb7527ec5d3cf5822780d7edf

SHA1
113c8f7fddef3abf9b76d7d40d2d88cc66e385a6

SHA256
d71d0f8dedcaa77b27dcd3e6f8fe64b6a9d6b8bf871891037c61ccbeaa1cc120

SHA512
c736ad8cd3ff771303a403cdb3fb8051ae05ba7d8061e8db72b341eabc8668fac21bfc39a8cc45dc0de26cc7e0ad26e0a6beeeb7d63ad2882a8476f3985e6145

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
6.4MB

MD5
27674389dba3bae6710631ce2d2fd830

SHA1
2dde58fafc84aff892b9e2ba5a12a0780c756e2c

SHA256
02e34da0ea722c7130d2b99be99312ffb7c63f014bec544e11559e4e0e287e12

SHA512
01caa143d216ba3406bd6c3ef6ef82fb09996509b5bc9f92de9bcf3e96e8f84c8ce4deff0d94e9f9282562c501c135de65e91a1e5af84ea8fa1863b8f0ed4e25

Download Submit
C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe

Filesize
619KB

MD5
c6914a82266c8acfba3286bd5cba9db4

SHA1
0a8db93fb22c9b2683bd0a7e0eb4b66cde02b82d

SHA256
56f0947c0cd75c6a0a1b599c15cd43e531fa4385f003293bc2ad9022c8070054

SHA512
896c0ddeb404dd43aa6ac817d9b323eec8bcb7e03388afb361a7fcf5e56550bda76a185c340ef0b65380314248ffbe5bbfe38c699435f51ed5211ecb99c91f55

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\mvvad.inf

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
155B

MD5
40828dd0bcea33a654a95424a47ba6ac

SHA1
1628aa873bcee8535956c58d09c501999a109fbe

SHA256
c26adbc237104e98381973202b8749fa68329be80a10e54f3b6a046b04b35cdf

SHA512
14487658a8376a96460e2fe669f91716d7ed604b9b02df44cbe8212869ad368f31f33fc50617c0650f64893faf033af2ad209849083177ba5469c87e6ce27236

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat

Filesize
1KB

MD5
0f7177b97fdb5588f4f4ce93cba508fb

SHA1
e26497ce0f32c52e7e8eee534c1e94441ad6ee5e

SHA256
a3371fb86a3a865d51740c41791559c864072f2a4d146773cf06e8e159e18c88

SHA512
95e1d07cb7360d83cabff69cb7bbd670602e3077fb313fd1aeb10b025bc27d0b92aa848b34d5cf63defea030634d26e81838e9b1f5cb8f7007e12f2fffbeb59f

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
a6261c36b1eb262f18c98e520966c329

SHA1
be1f1a0bdcc2f26bc41599b257f2b4c95a1a87a1

SHA256
d0cdbdb5be2be15f77861b6e08aa553d9e8580c224ef0f63e55064f415fc16f0

SHA512
06da998b9778148e15065b67ea6ffadd6df7babf6b1b435368e6c7b6e91d3506d3c3498140cd8b950e207d97c78a899e567b4fbf462d07f7ad473a878ea45fec

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
31KB

MD5
1fddfdab08937ca30e43dc454840c64d

SHA1
25af586ab7462e30465c9306426062b9d10bd058

SHA256
c578d1b5c5f608df3926d2658217ae728beace6455244c0cd9e3e3d15e455013

SHA512
b0f5666b0fed1321f525f72b5950b8c694032160e6e5fe101201f4fda3ea3c04fae226a997f949478a93705c8a2f25e3567eb69e35dd7bb6bff85d4bdc481fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.1MB

MD5
60021246cef1f0978983114d1fd51250

SHA1
b4cd22c3fa223376820c53fab738473732a0682e

SHA256
5cf8acb556090e2c26d420340e174d7948ca191e0334ddb1258da8844d4a2f3f

SHA512
ba1395b1814e266915c44e7b72f6f4d3a9528eb60948a1d9a6b501d129dcee6d8fe22125e569a618c25bd89b9128e088b3ba6c0ebcad3804a128f38f0e614b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
37KB

MD5
5587bd067a647a9d67dc7d83a1f2ebbc

SHA1
9e39a6324383b877321736d3f97f52d527f9565e

SHA256
1082725e71074560a3960b389638af7b455c9ad5101e7aaa5aed62a2c32949fe

SHA512
c3201124b2ffd3591b17c96ad9d05612615f70da2ae454365fb21d064ca4d403a0929e5833b425af1e7a3234d7d34aef55ce964a78c8fa56ea3eb6523a358a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
109KB

MD5
a56b10f0a1c903b60547f5b51128c2a2

SHA1
566e0b29c0ed3810c4bbfae25456d1b390f206d3

SHA256
5c745eb9967525690777602a542097b522c0852fca8f8a6adeafd1995ce78a61

SHA512
81020d63cd27bc372839aad4e6e8af75c229f3db3f117600bfb6d75f4d1c623f405c61e316f721de40ce4781f08448f286dc7e1be11bbad501c9de3661f3ce12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
71KB

MD5
47c4f263c377cbf0c240f077fc769e37

SHA1
5770770ff6e9d45ec0803d9419b1b21467b331cf

SHA256
352a19746693edca1a3ee3e79e6985c0b016436e5d8c0f4328471b08ff5b0332

SHA512
c30df47bf8d2bae0385e4ec4031eee476f3faea202cabbffbd846c52a88fbe63eabedb8de07622301d2517eec0085911eb285cf536949a9f756a2f14d7834f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
17KB

MD5
34ad3fc10406ef6d253c7dca1cdb8c4d

SHA1
ed9e145cab37f0b666fa2a755149c65778738cfa

SHA256
e249d0d087095304789a6eb65a9ebae8646db82c8eae22554c4778d8a3fd9946

SHA512
c65e273a3b9f41a410ea099cedf2848d6d2f2e896833ee15ae79e8c7b4e83067da215fe106cdcd4cccc86bf8174f280f49fc8194f46eb826e03af64e1a8c2ff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
67KB

MD5
e3aa4e15906ad1a4a802d9e65e6100d0

SHA1
ec8c68665e1377e3c1cd2d68f2049587a3b1bc88

SHA256
ceb1ad987c2d99026cad483da64d549e2134254b68bb90c32ea60bebaff90916

SHA512
49736e6f31cc3ec9630e4acbfc42b1c6ec1e18e90eb16806362d54b366e51cca77edc216142dbb77df8f74e0afc1246852407e6219b0f1917c4fde190c204b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
329KB

MD5
90bb079562f043a0951fa220f9b62727

SHA1
e17ffa0011ff5a0aa9b9da8a59a86df7d81686ee

SHA256
4d0755240b8eb75d11a31fa129025ae1a18da1b588017ba420d1ec89bedaba0c

SHA512
1155af8b57a6877c0df251e70f2490fb5878de7de549b8f6b863e99e318bfe79cea33ca92568373b266b082886e376f0daf72215ec9e8202274536337002f4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2ce29dfb4fbfd6fd_0

Filesize
5KB

MD5
06ec0418ecbd9bdb19b8af48aa5c68a6

SHA1
cffd410f9c28f638ac8b6e61a4af7cb5fe12c1a4

SHA256
a87854b6a98a105d9ff1c0bd12706799da62453e9a96d4818fb5986b5a92f62b

SHA512
f95acaa2c8a2c892ca3d0e2487f4694c52ab89dc533355950a1de35f324376a37859fcf7864cfba44d230becef0d9ec1be224af81dcc21466e51bf9f52fae639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
3f73bf0933d3b8477cbcb974cf7af50b

SHA1
2eb9ca135339461ea429e08343d448288d5525ad

SHA256
9a44a1e4df801cd30854382dc43d0b04bd3cf6983ec5d1b30871ec25b03d78fc

SHA512
447e5cd2f35401b4838f90fadc2a06efdb7b5537c9678bbe6f3be618bfa62b14aa9699cc6562520898731a7af31120b7318bdf90206502b1f11b23f7c59b9f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a8a0bd83e0f6ac4949a50a151c669bf

SHA1
2def29420f2c27e66189d800ba948f95f790da07

SHA256
8d86a1f247d34732cbb8e8939e4711879a313ac3616a8e4d2bf89286e3707790

SHA512
f2c20d4d4461f95a9e06971486236880bd3d14d3180a4254c5d054e9335dc86183d9220eadfd5d32c30bcfe21641805e749477cf5ad1b8c3e0acc48777f77240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fa20a647acbd15746b944a7fe6375ab7

SHA1
822eb48cd9e1050de0e602f18fa486f1dde88626

SHA256
c17b3ff641df85927f3928591d7d799b47d5063808ad080b604cd5eb5ed2bfd6

SHA512
53167af0f833c4131ee45321a95415cf3e347d38bdfdca28cef6ca0121a8378f351b8c591508979df5420e469b391546c2f996d9a4d8a3d6ec9882279f926c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ced8827ebb38b19d29b17e72a7a29246

SHA1
f7def52fcbdac571838d1467f9273c13d2a1fc6e

SHA256
a32ffdcab0acfa5da77eb1afe3476d6c9bdae8ad03216585d30edf857bb915c9

SHA512
31b07e1aa4e8d977e652ebe5ee780e2d83aca1f1f6a002bcf05c4a193ae82b005be543b764b7253aa60885ecb1eaf322cdd4030c58c768410b4ae75750b9d334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a1e00b1ac30825cbe8e9eb5fd7bec780

SHA1
a2cffcc5bd8863d2e9800d1252f2fe9a38a6fbbf

SHA256
6aed894eff34e4ebdeb6acfdf5128b37496cb102ef92e8bf6de5c315dc4fdb52

SHA512
27dbb13a8fba26149abba0c766b41f8f087802a8be35691e434ad853f30b4e7811a94cc039eb5ded5c2a56e4ceaa47f411a20a5271df4430fcbb0dbb863cfeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a255575de33bf307958ffbd53d145f21

SHA1
e37b3e018a7bcc77a728322d1e830f12a75a9735

SHA256
bddf571f0e0523db7aa072e31fdc6b1c409b5d7b5bcc66832a3989f39d03feec

SHA512
bf073ae12615ea67ef9fd82fbe893eeace584f9fba1a9435933a11ab070e34876153c13c9819e2cb1ae87611f6d3944a41760852a314ef530ae362745035e40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
64f0fb08807c203bf629a58ada4fcd5b

SHA1
49145772d5555ad00b9ac801034ae4eb910c3fa0

SHA256
746cf0fbcedde2cb17d2ba20d4980ec8100c382c52dfca6c0faf2018d5ce5d74

SHA512
0b9664f5179899d81f793cce8a8037bd306430aeaf1c97b155d4ddcfce7be7e93df62d1f26ec463495015bba6bab6f70f15f758484b9bbbc6acd661fc4688b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a1d8c2b77913ce194a0803562a325bc8

SHA1
6b97356eeca331aab7e42e6621ec239bcde42d0f

SHA256
5e4bdc812c24dc27cd82032883b517819a06609a7125eb73a80f0eacc9385b1c

SHA512
902df77b4b612c0456319139de47838377244da5c34f5425bc723c60805333df4e4f1cf1290019759da93cf4ae3af0dc42c6af65bc9137684ef45a85a86f24f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b4d5b14ce39f7db37c4c4b7f3d79de4a

SHA1
8b8014c6df27fad942318e2db1ac9d86f46627a8

SHA256
8f2ca0aab2252ba95af0a3c4c8d4f85024ea6839ff6630165bee0abdb6d821c2

SHA512
77f29713cac7664432c7d64f3a7c09642996ab537d17a559feb5ca63abbd3766658b743907b21098c3e4952a58cb640b0f2e6e4aa47bd56ae8e6345e6952f728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e9bde054d49fd37b1560d83e555bbd6d

SHA1
ba56426d13c758bf74dd6c2415864cc08e8c737d

SHA256
aa33536a3f767b1c167f786f1b4619830e78255f673545a021446a7b8d1e91ec

SHA512
e0b822a27462ba0c1063db10117c91f87ad40ca354f9340817fd55b576dbbf743e3358f1db80f9d31819e3eff09e163fd74452e0e363331861b342c21b383e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99ab25ebfd5d8c8132a0fd8ce3c3b828

SHA1
f21cc947c1cc0d3ad3d46f5aa793f1781fee400f

SHA256
bcaab4c298e3e9cae3236186d443903b4f2917f60565cd25739f308177360daa

SHA512
e026c3c2992fb8c34a4d0fc66cfe716372695e87c5f72ae49c76de82841624f3c1682bd4f7e9c0bccc433a63774dbdda6fa044d3385fa3223dfb7bb569c9cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0207b79253a5eb0b0f3f8e008882d626

SHA1
dff2bd647b109a855a9e375a2ff71b6f281d9a8d

SHA256
2b8d406c3c7066d7ada57a31d91ad485f492f2c07228c4a2c4b5ad6c6afcec00

SHA512
767067826bd19a72ad6da0ebbb7b612aeb092730cb59d931f1deef787574fb4db703077ade5ad3d4dcc82604a25fed5f91425c871831338a12c33bbed85df8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2724f758e992eb36fdcac38dfe849c9f

SHA1
21094bb0534700d6a268303f19f02f5a9876a19e

SHA256
90aed50737bf19b1b0aafd0eeefbb6137698a1c5d71be6366708fb87d7bea920

SHA512
609795ea725bb03ed2f07ae99ee8fec023c0ab557828a993adac4aa683254625872ed379f25a3ed0b1cdd008e76e2d442363d887818e1339aa2e599a27637cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
81180c3eb70c010302c55f7fb035bf3e

SHA1
39ebec3bb14725207f9fde7e0b134b50985eeb1b

SHA256
c9050e6e2752940d0789c5770516ef8c387542be68a8f420886b038d8ea3cacf

SHA512
d44e9bbe36a745ec1c6841e39749f7a8ecbc882838460c268033575d8bc10af9010ce5cb947636b22c5da7bc3c919bd97272acf568896af2e8ca1e2b4de3cd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd1f6e84a408a6f3b15c48af6b6a4ee0

SHA1
1eeb4103f0711e600d6303f8f0630967b97a56e0

SHA256
30046eff43903797f6666ee9a615d0621c85fe7e315ca20840bc052216e0fa19

SHA512
f92b36e517a6d715c5fc287a8e14650ebf3f59a4ac31df161fcbf3d00d90441329548b3eef621ff8307365e8148b5587d5c6261a60ede9ad55b6dcfc9fa2b409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0923c220eb75be70bbda38765122ecbc

SHA1
34f911d296c9ea952a1a5e61b17a1dbcc0e9953c

SHA256
1a69a2d77237d8dbb300e39756688ab96f7fa583dd75a4b7816f3e6b495e498e

SHA512
0c2318445b130cd4aee9985276f142577a4307025aec0b9fbe8907deb78b70f7fcd00f7ab45c9bca30450df0af13de37d6fc07331e5951ff5ca6f307733569a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a59e97c41023a9e9ecafbc3d24c0d493

SHA1
a09f16e17fd6bcdf42980aedb99a8c9ae924e7d5

SHA256
4c6f9e3c08cd58c62a614eb352dbeac158a0798222066f984f53a9eee92c299e

SHA512
4e1383d5568b6f023b6fb6205897f741722c790d4dee4ed4fc8907a98ba92dc33592627389870d92a6ed93661334247c89c9a14f79a2f10a252b355ff21f541c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ada1c1d0c67f7e64c31fb10d26c366cf

SHA1
f94f703de4819d9722c3c80d8d188c604d82744f

SHA256
b0cbd83a0ee69b63d27de7740e9c52e4377da40cf7a1570d64f67cbd7a352525

SHA512
00b5413bb4fa01636c2779aac3f806fc533f0585d07a64e33bce559941be18695883b72f57f7b3e936cae5e3c44f3230e202d6d827ce45b893e2e9dfb89ee18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af8a1b43edff8e7e864857e87af32118

SHA1
0869602a10a5edcb7cbe804712b2f9ac17b9105f

SHA256
05de68bbe53032d69589c3055afb6c8aebd4e46922f23420aaa4d21fbe802060

SHA512
ba1e0975c5a0c099ae0f4ce702ce147f810926309caf99a60d3f4c5fd62408afe68deea4621ffc574ca21a9dd33f69f840d24cadbbe144345738fa07cc02dc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a0338b21dfbe10c97972ab6747868f9

SHA1
e9a5c5af67d373b50956b4feee7f889e8eb51e86

SHA256
17f5931d9a29849ba5290425b1ba032e4d2293f5f082296b5ef5d552ff945829

SHA512
5c8541cbba27e3ed1895ef8db7d1476eac4abbab99d14c57707699287d5f8334f9b51311fb5d31e33ac0eac1717382690c1f3700df27fb942f69ec8119a314ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59fdd0cde6d9fd21dcc258f9d29cf14e

SHA1
8a105ee06ebdff3b7e02f13950530aa42dac1f13

SHA256
c30a06b4f241cdb630d933936779e2bfcd3d9f2688f96648352a72200342e87f

SHA512
8f2e665546fa2e5bc73555c1dea8b7f802392d061c01fa62466284f0d5f2dd8210a125ef3d2e1eb3be29b2485e6a688855908d8f195b054b1eb02332aba84c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
79a52834329f45b08581b7a87126f75a

SHA1
19db16259aa2ffa0b6c71133a38cf702d4477615

SHA256
82dc37c5bd427b9b388185b450b77f4943bb08128ce237e3bb47198b18e0a658

SHA512
e512e87b4fde20836cb5e1eece4323b685a99cbee2457385065305bd4af74ecface50acfbd6f8e25eb1a74969c69a4eaf6956257b97aedcd4c7811c2ac469790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
32d319c19c10d24735238f709f98d3eb

SHA1
5242d6a88b49f94cba6bda93ca59491acac22d70

SHA256
c6a55275cbb674e31cab221b001f5f5007b0dbc88c191d75abba7825090e9a63

SHA512
3e758a863861694dfdc17c84f9279a314dcb7d249e0dc5e7b52069e81543a210df55734dcb5fe231a196118f4e77cc95baf69a41a307a9062fb9159470800009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e5413681f1671a0f3f0ca55cec1c24b7

SHA1
359aeb44e9b99e1aef5f5069fab779f1ee8e6094

SHA256
2f1a5155a33d0cfe32207018d581a756d760fe749167c028a4b1e181c51584ef

SHA512
99cd8f1baa885f0138e4bc749649ad0df6cf51fa213431221a04f68391d40b941df922e6809ff662cc00a8d2baf7adf9a6d6bbcef6f9ceb73065ceed5ab18568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
317bb56bc08c42c02c57755aab1e3a19

SHA1
a7a069d71e316584845ac9f1682d15df8d2adc9f

SHA256
80c931d857fc85d2684defa3e07de9dfa4f83bea9a7440995282b1dd4952f551

SHA512
bb8eccb97c4ad9ddce4bc4be5149309332a63ed1dc5e3b61772092b41a7cc695eef293fb9a16b1d39692d0f089c6da80536cc57d03b1dbbd3d5d90559f714a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
11e883ef6979519e1d9e9bd66312dc93

SHA1
43a3a9b5dd66e39745939b0c545c18e16d97b0ee

SHA256
03367be8ede84ec61a185b38d120720e015ba8dc87f6faa3691c390bf5557199

SHA512
1f9f9a93312ceba82ce50e851da0c5991397e25916fb3136fba1c1926320b7ca6f225a0b45fa72354343481f9900453aab1de9c5567a26511a72ec5cec40be3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c8f0d11c7d74b836f462ce5f486ca046

SHA1
272be965745229f0b9db891fd99604e345c186b9

SHA256
87abe765d140f2487ba1151c9233eb8b58fe523301bea61e1492f0d11f0ce0fc

SHA512
e91a43eeda3b3be6018b5aec59fc4c526a87d0c906f61dcc75205f8a1a7e00d1bcd1abf26aaf0a1af0eb6f09a0891e053f26693a802e4129a2b3aa69bafa1749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ca613089a696a9bbde14624080db9cc6

SHA1
e110c86984241e9f3530552ffa33b655b6e7b8cb

SHA256
fe116e8a01d027590447306e70b9e0ef6ec4a7918e2d9dbcacb6a30d0d3ba36e

SHA512
455e7aac61c91e138d0fc5511e6b6e8f3b3345b036cb8cd9196c93f85846d28bb783be4ec4c156d3d53f1f0d1302326f187bfdf06b77674736ed708b0de84ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804ed.TMP

Filesize
204B

MD5
6cebdcc48a52647159bfdf80ee3e4489

SHA1
4e424ab7dda55e622a48db9d4988b2af420a0121

SHA256
95983e092dbee8e559e41c9492ef3eece6f60f84acd2029ee5bb9374813c5299

SHA512
2cc59994da0761bcbe649f1dbd38dcdda3b6dd5a4c212e999eba93a9af1ad6d9119bdd415e559720bbc13ff1b35acd990f3d92dc650e252aa77a1bf780a53ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
671b502979ea1be47a86608bae4d577f

SHA1
4c58dc931c331e493f71cbe6e38f1645bca1e7ca

SHA256
8bba3c627854310e073ffcd7304405b1c20083184cc8fc43128a9415cc01025a

SHA512
a8ec7ebb375ea5ce0c743d72526a896c612017b1832f60090a053097580eef0c35993093924eebdcf4e5b3bff2327dc87a86c24bf237e0728fc1da6843b250c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e1cfe3f867ce1fac20be9d7c7078afd1

SHA1
63fe6e2fd49b66014da030b3669e19fda7a7a1bc

SHA256
04dc0e0ba46079079f8c811ac123a8c8c25839b8c3efe3c6de71436925768d99

SHA512
d6dac6d04a5bfc02871f9cf67e66c642054f154e4ca3466d8058569dc1a828310f43792b10d4a0bec410916e326afc669e7f463904fe475f1cd8c57cc2904aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5d5vpojw.hrn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\avx-checker.exe

Filesize
19KB

MD5
ec57c335046baa522f7f8a9c57087a16

SHA1
3e052543ed306c11073ae80db1baf16441a97175

SHA256
dbd485a8249aa067da1cad470ac0ffeb0000c23188ef2099722afa08a569a3f7

SHA512
2a3393d6101856ac85ce19814c4549f8e41a5bea99ed57d5ce88f378fb8665a9e4cc31d70a411b0e9db756d462dd7633bdec649ade5391bd36d9795f1cdb1dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\deviceId.txt

Filesize
36B

MD5
ff6c47b9df8d61e5a2328195b6b642ae

SHA1
5455f84c4f38d463dc6eb2ea984406defc71447c

SHA256
942d497057c35bcc8ad86dce3436676ef97543fce691c3f7a28331c368ad7d6b

SHA512
0aff74f176c589b3e5edefc439da6725dd786a2f129c9cc17ba6ef080b431b1ad0f1c30039246d17859093db0f4da14ebdc5badbb8d834ed2c24b86605da0e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SV5U.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OJHHB.tmp\VoicemodSetup_2.48.0.0.tmp

Filesize
2.4MB

MD5
e812065f75f42d8bbbe174cf03b02216

SHA1
088914819546a58d1243522c64cea5f6a7d77eb8

SHA256
952d953995b093f37f8ae25c90cc2708f00b6009e83a7695a1f14e62465800ad

SHA512
daa24b600ed75e7f2e2e3a1ead2f0acff0283529890f87a7d455ff6959a5186db86b9f7ae97ce5023d86326fced2fde24395f336c50cc5b0f1a9844756863448

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt

Filesize
7KB

MD5
d998313abcdb06ad1bc9e2d2b92439d5

SHA1
45fd43908c4d4c1441646f54d4532e56cc150282

SHA256
b82a7abb0ec7c390c7ef620ede75c7f34194dace50c205de8983a03d41fa5ad8

SHA512
ef52b717c88aba27c46522eb45a314bca01846af00ff6c68f2a54ed985e3aba143331371aa3222315c18379ab5ac0ba003c5f9d3ad4bb0b7e21c701c59e3dc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
7KB

MD5
29617ddfff1132b8d3c4a8e3fd9f5805

SHA1
f35e1ec9814fb555f478763400817838504403d4

SHA256
37d64a5c14a59c4aa231b3940ded4904ae2af54c614563cde02f65e636657b38

SHA512
e5b2e065649ec5fa21c115b31d3235a91835ea548e98deb3d44e89f1f9ef51e40175af1b18c0f6b19b35439e7945769342fc2d6729c0bba117e7261bbdc972a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756c5992-9444-4e4f-82c3-f55893ce04a8}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe

Filesize
112.2MB

MD5
91b98d97343351e879ef8304798864c0

SHA1
fba2e0c8229165d7f0cc34930ea96a2430d30ee6

SHA256
3671fd712335ef0d15e4d553edf19116f56d2ca18ede39d9d43536ce9e0bf2f4

SHA512
2a9a855d6a955c4bce3f4c23644cdb5d4454cb6e38b83ed5a42c9cf058e48584b762586415014a919d5567544ce570d99771a2258ef20c230a230bfc46c13fa8

Download Submit
C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe

Filesize
73.8MB

MD5
f79b1eb17e5991fbbb8bf3f256dfaa2f

SHA1
1a3b00a7226c3b2b1b027c25bfb6457c11e2ad8c

SHA256
2292f56fe7ee245dc79a2c4219c40a23d9b3128f0640cbac5a085a0a2042d987

SHA512
f0cb93608760ac675001cb610ceefb1b3e97e8c929026c345d23f2aa1735f3fe727f5e4b2613d607602399ebd88491df65209e8735b955d0c54a2a69b93e26b2

Download Submit
C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe

Filesize
6.8MB

MD5
1989953d6ffe30df2eedcfe14d2924c2

SHA1
63c8451f180f335a0d43bd11943ec648a415291d

SHA256
e44532376f4ef7061c36562fad9cda6decdb853231e316d3aa8c4277806b474c

SHA512
5824d1b5a99fee7eaddf7c3c755eca240f6e9f906367f05de70e048c4c7665ad156e65070d7216209614c25e6bbc69d4ecfada1be0930c76bcab5c44661cbc54

Download Submit
C:\Users\Admin\Downloads\VoicemodSetup_2.48.0.0.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\c:\program files\voicemod desktop\driver\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
memory/124-1999-0x000001A0AE2A0000-0x000001A0AE2B0000-memory.dmp

Filesize
64KB

Download
memory/124-2001-0x000001A0AE2A0000-0x000001A0AE2B0000-memory.dmp

Filesize
64KB

Download
memory/124-2000-0x000001A0AE2A0000-0x000001A0AE2B0000-memory.dmp

Filesize
64KB

Download
memory/124-2090-0x00007FFC93A00000-0x00007FFC944C2000-memory.dmp

Filesize
10.8MB

Download
memory/124-1998-0x00007FFC93A00000-0x00007FFC944C2000-memory.dmp

Filesize
10.8MB

Download
memory/124-1997-0x000001A0AE270000-0x000001A0AE292000-memory.dmp

Filesize
136KB

Download
memory/1160-1489-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1387-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1160-1987-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1160-1578-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1160-1576-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1160-1498-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1497-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/1160-2003-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1496-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1160-1988-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/1160-1494-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1484-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1479-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1474-0x0000000003080000-0x00000000031C0000-memory.dmp

Filesize
1.2MB

Download
memory/1160-1419-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/1160-2094-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1160-2129-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1880-2134-0x0000023BE75C0000-0x0000023BE75CA000-memory.dmp

Filesize
40KB

Download
memory/1880-2137-0x0000023BE75E0000-0x0000023BE75E8000-memory.dmp

Filesize
32KB

Download
memory/1880-2100-0x0000023BE7690000-0x0000023BE76A0000-memory.dmp

Filesize
64KB

Download
memory/1880-2101-0x0000023BCD190000-0x0000023BCD1A0000-memory.dmp

Filesize
64KB

Download
memory/1880-2102-0x0000023BE7A70000-0x0000023BE7B84000-memory.dmp

Filesize
1.1MB

Download
memory/1880-2103-0x0000023BE7B90000-0x0000023BE7D4E000-memory.dmp

Filesize
1.7MB

Download
memory/1880-2098-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/1880-2097-0x0000023BCC7E0000-0x0000023BCCD60000-memory.dmp

Filesize
5.5MB

Download
memory/1880-2131-0x0000023BE76A0000-0x0000023BE7750000-memory.dmp

Filesize
704KB

Download
memory/1880-2133-0x0000023BF3C10000-0x0000023BF3C80000-memory.dmp

Filesize
448KB

Download
memory/1880-2132-0x0000023BF3B90000-0x0000023BF3C06000-memory.dmp

Filesize
472KB

Download
memory/1880-2214-0x0000023BF7050000-0x0000023BF7578000-memory.dmp

Filesize
5.2MB

Download
memory/1880-2135-0x0000023BE75D0000-0x0000023BE75DA000-memory.dmp

Filesize
40KB

Download
memory/1880-2212-0x0000023BF6A20000-0x0000023BF6B12000-memory.dmp

Filesize
968KB

Download
memory/1880-2136-0x0000023BF3A90000-0x0000023BF3B90000-memory.dmp

Filesize
1024KB

Download
memory/1880-2099-0x0000023BE7780000-0x0000023BE7854000-memory.dmp

Filesize
848KB

Download
memory/1880-2138-0x0000023BF41F0000-0x0000023BF425C000-memory.dmp

Filesize
432KB

Download
memory/1880-2153-0x0000023BE7A50000-0x0000023BE7A5A000-memory.dmp

Filesize
40KB

Download
memory/1880-2154-0x0000023BF4440000-0x0000023BF44C4000-memory.dmp

Filesize
528KB

Download
memory/1880-2155-0x0000023BF4180000-0x0000023BF4192000-memory.dmp

Filesize
72KB

Download
memory/1880-2156-0x0000023BE7660000-0x0000023BE766E000-memory.dmp

Filesize
56KB

Download
memory/1880-2157-0x0000023BF41C0000-0x0000023BF41DA000-memory.dmp

Filesize
104KB

Download
memory/1880-2158-0x0000023BE7670000-0x0000023BE767E000-memory.dmp

Filesize
56KB

Download
memory/1880-2159-0x0000023BE7A60000-0x0000023BE7A6A000-memory.dmp

Filesize
40KB

Download
memory/1880-2160-0x0000023BF43B0000-0x0000023BF43C4000-memory.dmp

Filesize
80KB

Download
memory/1880-2213-0x0000023BF7640000-0x0000023BF835E000-memory.dmp

Filesize
13.1MB

Download
memory/1880-2167-0x0000023BE7690000-0x0000023BE76A0000-memory.dmp

Filesize
64KB

Download
memory/1880-2211-0x0000023BF68B0000-0x0000023BF68CA000-memory.dmp

Filesize
104KB

Download
memory/1880-2206-0x0000023BF6690000-0x0000023BF66AE000-memory.dmp

Filesize
120KB

Download
memory/1880-2191-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/2536-2188-0x000001E93A070000-0x000001E93A080000-memory.dmp

Filesize
64KB

Download
memory/2536-2192-0x000001E9463A0000-0x000001E9464C0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-2164-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/2940-2187-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/4632-2190-0x00000195F0D40000-0x00000195F0D50000-memory.dmp

Filesize
64KB

Download
memory/4632-2186-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-2174-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download
memory/4952-1382-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4952-1495-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4952-2130-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4952-1380-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4964-2185-0x00007FFC93FE0000-0x00007FFC94AA2000-memory.dmp

Filesize
10.8MB

Download