hxxp://voice mod

Analysis

max time kernel
195s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://voice mod

Score

8^/10

discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe
3916	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SET286E.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET286E.tmp	DrvInst.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3464	netsh.exe
6692	netsh.exe
2740	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Voicemod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe

Executes dropped EXE 19 IoCs

pid	Process
2092	VoicemodInstaller_3.6.81-14neoa.exe
6304	VoicemodInstaller_3.6.81-14neoa.tmp
2868	avx-checker.exe
1492	avx-checker.exe
5476	avx-checker.exe
3464	SaveDefaultDevices.exe
5852	voicemodcon.exe
4616	AudioEndPointTool.exe
5040	AudioEndPointTool.exe
4428	AudioEndPointTool.exe
1844	voicemodcon.exe
4424	AudioEndPointTool.exe
4804	AudioEndPointTool.exe
3204	AudioEndPointTool.exe
5032	AudioEndPointTool.exe
2492	AudioEndPointTool.exe
3972	Voicemod.exe
6272	crashpad_handler.exe
4036	QtWebEngineProcess.exe

Loads dropped DLL 59 IoCs

pid	Process
6304	VoicemodInstaller_3.6.81-14neoa.tmp
6304	VoicemodInstaller_3.6.81-14neoa.tmp
6304	VoicemodInstaller_3.6.81-14neoa.tmp
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
4036	QtWebEngineProcess.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VoicemodV3 = "\"C:\\Program Files\\Voicemod V3\\Voicemod.exe\""	VoicemodInstaller_3.6.81-14neoa.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.PNF	voicemodcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\SET266C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\mvvad.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{22b119c0-5066-c64d-8171-070ee496559a}\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Voicemod V3\resources\qtwebengine_resources_200p.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\sv.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\ta.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\Qt6Qml.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\resources\icudtl.dat	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-BOIMJ.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\multimedia\is-0HS88.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\is-F9EIU.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\is-SV9V2.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_zh_TW.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-N0I03.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\tls\qschannelbackend.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-E06G3.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\resources\is-V56MG.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\resources\qtwebengine_devtools_resources.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_hu.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\zh-CN.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\qmltooling\qmldbg_preview.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-PELOV.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\networkinformation\is-SOCJE.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\resources\qtwebengine_resources_100p.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-SMNTC.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-A8S4G.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\unins000.msg	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\imageformats\qgif.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\imageformats\qicns.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\qmltooling\is-GBT0M.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\tls\qopensslbackend.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\qmltooling\qmldbg_tcp.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_pl.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\ms.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\Qt6QmlModels.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-C2AOF.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\am.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\multimedia\ffmpegmediaplugin.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\imageformats\is-ON73R.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\is-5VC54.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-99AH2.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\da.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-SGJTB.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\tr.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\is-30S97.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_fi.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\is-1JHGE.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\bn.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\pl.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\imageformats\qpdf.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-L8PQS.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\is-0SP5J.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_es.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\is-OJD0M.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\es-419.pak	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-C5G6H.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\imageformats\qtga.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\is-RM4TK.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\qmltooling\qmldbg_local.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\driver\is-M6ABT.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-V907S.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\translations\qtwebengine_locales\is-3FNAD.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\imageformats\qjpeg.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\qmltooling\qmldbg_debugger.dll	VoicemodInstaller_3.6.81-14neoa.tmp
File opened for modification	C:\Program Files\Voicemod V3\translations\qt_fa.qm	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\imageformats\is-B60F4.tmp	VoicemodInstaller_3.6.81-14neoa.tmp
File created	C:\Program Files\Voicemod V3\qmltooling\is-NAIU0.tmp	VoicemodInstaller_3.6.81-14neoa.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File created	C:\Windows\INF\c_media.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem2.PNF	voicemodcon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Voicemod.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Voicemod.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2940	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodInstaller_3.6.81-14neoa.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod V3\\Voicemod.exe\" \"%1\""	VoicemodInstaller_3.6.81-14neoa.tmp
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodInstaller_3.6.81-14neoa.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodInstaller_3.6.81-14neoa.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodInstaller_3.6.81-14neoa.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodInstaller_3.6.81-14neoa.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "Voicemod.exe,1"	VoicemodInstaller_3.6.81-14neoa.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodInstaller_3.6.81-14neoa.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{5E6ED42D-FEAA-4C3A-9EB2-4B7BF0F9F27A}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodInstaller_3.6.81-14neoa.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 694323.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3972	Voicemod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
4084	msedge.exe
4084	msedge.exe
5028	identity_helper.exe
5028	identity_helper.exe
1984	msedge.exe
1984	msedge.exe
5744	msedge.exe
5744	msedge.exe
6304	VoicemodInstaller_3.6.81-14neoa.tmp
6304	VoicemodInstaller_3.6.81-14neoa.tmp
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
4440	msedge.exe
4440	msedge.exe
4440	msedge.exe
4440	msedge.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
4036	QtWebEngineProcess.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3972	Voicemod.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 62 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeAuditPrivilege	708	svchost.exe
Token: SeSecurityPrivilege	708	svchost.exe
Token: SeLoadDriverPrivilege	1844	voicemodcon.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeBackupPrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeBackupPrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeBackupPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: 36	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: 36	1892	WMIC.exe
Token: SeDebugPrivilege	6324	taskmgr.exe
Token: SeSystemProfilePrivilege	6324	taskmgr.exe
Token: SeCreateGlobalPrivilege	6324	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
6304	VoicemodInstaller_3.6.81-14neoa.tmp
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
6324	taskmgr.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
6324	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe
3972	Voicemod.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 1724	4084	msedge.exe	81
PID 4084 wrote to memory of 1724	4084	msedge.exe	81
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 988	4084	msedge.exe	82
PID 4084 wrote to memory of 2516	4084	msedge.exe	83
PID 4084 wrote to memory of 2516	4084	msedge.exe	83
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84
PID 4084 wrote to memory of 1044	4084	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://voice mod
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe875746f8,0x7ffe87574708,0x7ffe87574718
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8280 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8880 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9172 /prefetch:1
  2⤵
  PID:6164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8920 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8256 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:6368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:6384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:1
  2⤵
  PID:7152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9188 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8308 /prefetch:8
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5744
- C:\Users\Admin\Downloads\VoicemodInstaller_3.6.81-14neoa.exe
  "C:\Users\Admin\Downloads\VoicemodInstaller_3.6.81-14neoa.exe"
  2⤵
  - Executes dropped EXE
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\is-269RK.tmp\VoicemodInstaller_3.6.81-14neoa.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-269RK.tmp\VoicemodInstaller_3.6.81-14neoa.tmp" /SL5="$B01F8,121341568,839680,C:\Users\Admin\Downloads\VoicemodInstaller_3.6.81-14neoa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:6304
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:2884
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:7044
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:4760
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
      4⤵
      PID:7024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:5972
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:3908
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:4272
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:5416
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:6328
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:5744
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:6016
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:1720
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:4584
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:3724
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:1144
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:2868
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:2500
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:5312
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:7028
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\avx-checker.exe"
      4⤵
      Executes dropped EXE
      PID:5476
  - - C:\Program Files\Voicemod V3\driver\SaveDefaultDevices.exe
      "C:\Program Files\Voicemod V3\driver\SaveDefaultDevices.exe" defaultdevices.txt
      4⤵
      Executes dropped EXE
      PID:3464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\setupDrv.bat""
      4⤵
      PID:5688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod V3\driver\setupDrvAdmin.bat"
        6⤵
        
        PID:5308
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        7⤵
        
        PID:5352
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        8⤵
        
        PID:6412
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        7⤵
        
        PID:1068
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        8⤵
        
        PID:6084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        7⤵
        
        PID:4880
        
        C:\Program Files\Voicemod V3\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5852
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        7⤵
        
        PID:1620
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        8⤵
        
        PID:3008
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow=Capture --role=Communications --format=Raw --fields=ID
        7⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow=Capture --role=Multimedia --format=Raw --fields=ID
        7⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow=Capture --role=Console --format=Raw --fields=ID
        7⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        7⤵
        
        PID:6548
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        8⤵
        
        PID:5724
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        7⤵
        
        PID:4624
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        8⤵
        
        PID:4228
        
        C:\Program Files\Voicemod V3\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        7⤵
        
        PID:6152
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        8⤵
        
        PID:6256
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{295aef70-154d-45b4-ba82-0fb7aec76de3}" --flow=Capture --role=Communications
        7⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{295aef70-154d-45b4-ba82-0fb7aec76de3}" --flow=Capture --role=Multimedia
        7⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{295aef70-154d-45b4-ba82-0fb7aec76de3}" --flow=Capture --role=Console
        7⤵
        Executes dropped EXE
        
        PID:3204
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /C wmic sounddev where "Manufacturer like 'Voicemod%'" LIST FULL > "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\output.log" & type "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\output.log" > "C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\output_ansi.log"
      4⤵
      PID:6680
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic sounddev where "Manufacturer like 'Voicemod%'" LIST FULL
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\disableDrv.bat""
      4⤵
      PID:2452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        5⤵
        
        PID:6596
      - C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        6⤵
        Executes dropped EXE
        
        PID:5032
    - - C:\Program Files\Voicemod V3\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setvisibility --id="{0.0.1.00000000}.{737e784a-9fc4-4f0f-9dff-a0f8691f0be3}" --visible=false
        5⤵
        Executes dropped EXE
        
        PID:2492
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\dumpInfo.bat""
      4⤵
      PID:6320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic cpu get Name /value | findstr /V "^$"
        5⤵
        
        PID:5180
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get Name /value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
      - C:\Windows\system32\findstr.exe
        
        findstr /V "^$"
        6⤵
        
        PID:2352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -Command "[math]::truncate((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB)"
        5⤵
        
        PID:376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "[math]::truncate((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB)"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get displayName /value | findstr /V "^$"
        5⤵
        
        PID:5520
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get displayName /value
        6⤵
        
        PID:6164
      - C:\Windows\system32\findstr.exe
        
        findstr /V "^$"
        6⤵
        
        PID:3232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_SoundDevice get Name /value | findstr /V "^$"
        5⤵
        
        PID:2628
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_SoundDevice get Name /value
        6⤵
        
        PID:3952
      - C:\Windows\system32\findstr.exe
        
        findstr /V "^$"
        6⤵
        
        PID:4440
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:2108
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"V3 Temp Installer Disabling Driver Failed\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"error_code\": \"0,-1\",\"cpu_name\": \"Intel Core Processor (Broadwell)\", \"memory_size\": \"3 GB\", \"antivirus_name\": \"\", \"audio_devices\": \"[\\\"High Definition Audio Device\\\",\\\"Voicemod Virtual Audio Device (WDM)\\\"]\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:2780
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod V3\Voicemod.exe"
      4⤵
      PID:7032
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod V3\Voicemod.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:3464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod V3\Voicemod.exe"
      4⤵
      PID:2064
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod V3\Voicemod.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:6692
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod V3\Voicemod.exe"
      4⤵
      PID:6640
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod V3\Voicemod.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:2740
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:3152
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:2492
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:3948
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Done\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:2352
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:6696
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:3324
  - - C:\Program Files\Voicemod V3\Voicemod.exe
      "C:\Program Files\Voicemod V3\Voicemod.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3972
    - - C:\Program Files\Voicemod V3\kit\crashpad_handler.exe
        
        "C:\Program Files\Voicemod V3\kit\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\.ui-agent --metrics-dir=C:\Users\Admin\AppData\Local\Temp\.ui-agent --url=https://sentry.voicemod.net:443/api/62/minidump/?sentry_client=sentry.native/0.6.0&sentry_key=73b533e53a5e42069abdefec33c8efd3 --attachment=C:\Users\Admin\AppData\Local\Temp\.ui-agent\08838258-1130-4c59-60e2-cd2ac556c2ac.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\Temp\.ui-agent\08838258-1130-4c59-60e2-cd2ac556c2ac.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\Temp\.ui-agent\08838258-1130-4c59-60e2-cd2ac556c2ac.run\__sentry-breadcrumb2 --initial-client-data=0x484,0x488,0x48c,0x460,0x490,0x7ff71add4fa8,0x7ff71add4fc0,0x7ff71add4fd8
        5⤵
        Executes dropped EXE
        
        PID:6272
    - - C:\Program Files\Voicemod V3\QtWebEngineProcess.exe
        
        "C:\Program Files\Voicemod V3\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --first-renderer-process --disable-speech-api --enable-threaded-compositing --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=5236 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start https://account.voicemod.net/#/?action=nextgen^&random_id=d9239062-6cce-4c65-b13e-1846e287064b
        5⤵
        
        PID:3836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://account.voicemod.net/#/?action=nextgen&random_id=d9239062-6cce-4c65-b13e-1846e287064b
        6⤵
        
        PID:6640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe875746f8,0x7ffe87574708,0x7ffe87574718
        7⤵
        
        PID:1808
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\Admin\AppData\Local\Temp\\ipaddress.info"
      4⤵
      PID:6040
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\"},\"mp_deviceid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"3.6.81\", \"app_version\": \"3.6.81\", \"machine_guid\": \"4d0966de-9ba4-4ee9-b282-eaf9cf9c9160\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19041)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"14neoa\" }},\"event_type\": \"custom_event\"}],\"ip\": \"191.101.209.39\",\"environment\": \"production\"}"
      4⤵
      PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1464,15425838139029263681,17628591853815815186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1
  2⤵
  PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:708
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4a80fd1f-069a-5a4e-af7d-4534bd7e0f46}\mvvad.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\voicemod v3\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4564
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2022.6.1.0:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:6252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564 0x53c
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod V3\is-IJUH6.tmp

Filesize
42.3MB

MD5
423a5d93a4c3f14f76d3c742e47ae51e

SHA1
cf64b6203d8107bf0b3d0669753154c99eec45b8

SHA256
70ce26efe40d770f68657817dfd2230c91ae4c8cc7079a9528433ea07ed5dcf5

SHA512
47be8eba71015375bfbc335afe96c1c6801cb71abed56a760bee5524e8df9c89845350b84f393252ed25864346d32da76708f29eb80f16e3ba18ac2f191ffa05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
88680fb89f9210ec416b2da239b58b5b

SHA1
d0e7034c4ce7a100ebfba6f5ae73d2cfc5cf01db

SHA256
f3e85184b9da403ef7277231046f43fcfe9d08f2bc21bf09967c43576d6a66ff

SHA512
fb9e301ac1e7990a2f4c2f109e135c78a275d6feb07ad8aa7765ad3a5e8fd5c77085334ff1b3bab4222090bba6cf4b6b9b3a1e5da3bbf8958d64ed7143d31b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
b48e876e91ec89fbaaef68677fac8058

SHA1
90d1ec84f062ed577f423c44dc8bf04bde44d514

SHA256
41b601617afa569c0a42d592341bdbc062b2480bc61f6ab89d85c43c1b2987ac

SHA512
2d07f78ffdb9ed12e560c9ebf64fdccc4ddf89b7866d28f5c8ccb862ddd56977d2aed1e82158f6f7f444664b4417e96a7923994c51052acc8ca1d6739f7ab5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
118KB

MD5
913a9cf974a02dea7e03895177f26406

SHA1
6bda01f36f11caf7223d19dbe21a36a29a27bbff

SHA256
38336ee1a4363f35460bdd104673cc7ceae26b7fc709cd0ddc65b4d9f49f34cd

SHA512
778b59b42b77073b0ca29f02a45cd1a5b6ec5458eb2ff259f4fb38eadd5eacdc1b6573a50fb24d9d57bc5cc5460230e7819890d6eb27cb0a7506d88a8a62821f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
329KB

MD5
90bb079562f043a0951fa220f9b62727

SHA1
e17ffa0011ff5a0aa9b9da8a59a86df7d81686ee

SHA256
4d0755240b8eb75d11a31fa129025ae1a18da1b588017ba420d1ec89bedaba0c

SHA512
1155af8b57a6877c0df251e70f2490fb5878de7de549b8f6b863e99e318bfe79cea33ca92568373b266b082886e376f0daf72215ec9e8202274536337002f4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
16KB

MD5
4fdd269a8edead03731d0d367a04364a

SHA1
516d29270edeb90f2ae7988e2af8f9e100bf3021

SHA256
05a26fbce987954c775b4997aacbbd9070a5c47d21436f599a492803bf6da4ce

SHA512
34f0a63029424ed1b8e82bbbde9b0c89087688ca0095fd72ac8dfe796488fbb300b3cbbf698f5dbbacda59ace1597f3fd6a5ba6ddfcf9d57ec71693e422cd672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
19KB

MD5
e78f9f9e3c27e7c593b4355a84d7f65a

SHA1
562ce4ba516712d05ed293f34385d18f7138c904

SHA256
75488ac5677083f252c43009f026c2ec023ac4da3e65c5d7a084742e32abce3d

SHA512
05f9fbbd59c286024b3ad49961c4e0eaa1abcf36ed29a1d07ea73d2b057075d46fbfdda56f135145f942bd0c3d48246c73be1771c21861eec4ddf8bbc365a286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
30KB

MD5
6fb26b39d8dcf2f09ef8aebb8a5ffe23

SHA1
578cac24c947a6d24bc05a6aa305756dd70e9ac3

SHA256
774379647c0a6db04a0c2662be757a730c20f13b4c03fe0b12d43c0f09e7a059

SHA512
c40f4771c10add1b20efb81ee3b61fc5ede4701587f29a1c2cdde8b6faabd1c76d769bf8b99aa19082012f95d99ba448a472463fb9056acd2e43542e14e605cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
64KB

MD5
8b37bb42b1577b08892393df19f534c8

SHA1
e12eaa944bff9ccd0687ac54811a3ada4a5d21e9

SHA256
6cc9e87df3ba27d6dd288a0593a4f70a17ecb0bf5cac0a591ff72f355a9f454b

SHA512
9dba0d070832cecab4c2aa922bd07395b7493845926a5bed5c5f86d61c3b2fff1f6fa12069b7b7abe4f15cd58775ffa238aa36c47e100d7ca544abb3bc1a29b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\090ba51db205503e_0

Filesize
242B

MD5
5e849d18f75d23dec815da9b76d8db66

SHA1
7c298b9b52fe98c3e0378a40a5bf243b183755a0

SHA256
03031c66a3fcc37d361b41995f0d75f4b1f09b327456e9ba196a9b393dd175bc

SHA512
dc34993cc2806612ca89416eca49b702ac7c0d910f5a8827b00484e6f99f3b800623d1977680e1cc9bb767d3779aa74da452057ee3f759a6419f21a37769e9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3bea298e42d481d2_0

Filesize
32KB

MD5
1a60e0cfbcde9f049cc191a0c4db635f

SHA1
64051b6dac3a95d0a318913d4e54b2e1363b3c01

SHA256
fa864725ce0c0ef979b08da81da96c4d3a4f564fc205573a5023d12e0155d9f0

SHA512
7be3a88d1853a9d6a2ba19902874f992cc3e58510fabb4ce1caf464a2008d66d8548ed17f73821053fedb529aa6f6267d13e3fc82e4390b02f55d9fc54bc145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4c307b02b4dcc58c_0

Filesize
228B

MD5
7b60f36ddb077c63371587b0d9776367

SHA1
1430e29c5972a2bbf11bc5274cc3e0dbcab4bc6d

SHA256
5a9aae493c9b17fb3888c2b90cf56c34bcd0319f5626e20fe3b73302f82476a1

SHA512
32ce178f684ec6c3ee3a04fd78143c8cce4acf91b92da2df702b69e70ded792cee1b000b86a7db3c8324288d501efab569fc6f3141e0431c4bcb4dc17119dba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eafd209b9f41c6fa_0

Filesize
253B

MD5
9e96819481685f0a39991ade954cca83

SHA1
60f9bbeccf1ae221893f8e2a4a76a2033def90be

SHA256
8207a2af57bd11a23842fecdd9dd721962b681749c665c4373809ae4c4a4a98f

SHA512
fec215fd3ed06d2a0009e2e64ef9b4b84f93d8fd615a8f15e2917c1f64542f7fbac2cd5c5dcbaa5b947b6b986abd69e0ffed88573807adc8e60e49d9924bf87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
4d0419b6737073bf6b978fe6fa82c171

SHA1
b222f70d4ba79aaa23c1593f34aab0c29238b726

SHA256
9036189bdf54887b01d70ede997ed09f82b48025c34f764ead50e467edc89da5

SHA512
799e81ca8ad52bd4ea70f09c6c56f339a7f1c230565905e3213325f00d963c9e9d9699e046493db7f70f508b945a6822c9806470480d6f174548a8ce0c1f5ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
88f653b6bb8472bfbf7c8a714353926f

SHA1
cde13ff2e029b3b3a3c27bbfb75755c9954a5836

SHA256
3c5172c146515534e3559d17dd81dde9dad0a31522116ce213c0c21d083cd52f

SHA512
997cf77364463dde8e35ce592f29a1dd7f8eb295ed66c3d69828fe0a66492264829b52c6d4cf7d9650d4e6962189ee28d0dfc43d7c600df90eda5fab2cd3bc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
6ae6d69bd4b183511393dc931c1ed6c6

SHA1
eb5611610d9ff7dbf2ed92d8877d297683a2b834

SHA256
a5f495b4ffecf7ee84829b94b3dc2e5742181a184dfd6786c8e803742a88f7a8

SHA512
38e32a12d20d47acdd1aae26ffb6b031cdbd495fbafaa3aa35e393c056c1667008d5c32a8c433d4419eb3645b0091e9163255776eb53a2f366ecaca21931088b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
21077900cda0baa7155cbd73a5c9af3f

SHA1
6fc96539775149b95e9030c1bc103e316c092af6

SHA256
8878cb3362c871829e6eb28585be05d25838b35b78445d2915cb22e15e6c906e

SHA512
973fdeecd3177ba3da43a91fb0c3fb71441a5ab0a8b931c9c0b1884176c4d2c8045b49695baeebb2107c9a2a321fa40329e7f24851b4e42b47e3f675a592ef1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
7a722a1b428f4612e549a508a8fe9e58

SHA1
2b008706f7cf2e4b6cf995373315733546b75aa1

SHA256
07e1ccc352d749a577c05dd7c54b0f56d711a10f64667724ebde799f861d4f65

SHA512
42e81c2e45c90055489cdf0587ae3832474c3a42909be73d8f3ea93f390014fdd840adc5e1b4074da295942722f121ff3275043cea35eff9110d3894414d56bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b0df27f5429b11c5a2d9e8bc55c5a3a0

SHA1
2d334c7e77acd460d9ff0a40d9ba8406fe23d088

SHA256
8fa78e205ef2e6c5bda2c65e12a68d61f533d0bd95c4f004e23c5f392f08eb28

SHA512
b40213658029e858eeaebd96dd9bdfb168a117c4dfeefb6975a8e69bf46a47ffc072c109b5b12a586c0da4c149c5c7cd1447b15b2ebcfb60a57e8c58eebe5203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7cf66c4d075b5dbf9b607719032f561c

SHA1
3bedeeb5e32193ec9c5b3ece314787443505d0f2

SHA256
28adb2099587abd133803bd2a02a98529d64040b0a59b82f6b2970e94dde30b2

SHA512
a5ead40cbd7df70822a555835dc6ff3891556f8d5c8ff8b20807e0c135bf227309b991b071e8fa66d5fe7b7e0a1c05848854ebf09e0360499a8d0c6ca6198919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
32e56f72a41e5b9af3694b9df22a757a

SHA1
e2ea95c5841f5ac14d7ec73384c01948b0c53725

SHA256
95d31b4e185805e3970dc29fd982e44eb0e052e89de511f5099548d8da626601

SHA512
e328d29879ad889dafba3d9b1ad06762a459b06318946138623cdd3c92fbccad65441349a9fc4688fc32a4f45760cb38a25e021a08c14e4c7e52e3abd0297ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5e9db2677dd3e6dde6c3db7d89e46bbc

SHA1
ec1add33359644470b6be9cf156965d809b1e043

SHA256
c69aca63088b481c9373876f6dfa6d2b32c9f95585345c574a35cca6e6f950fc

SHA512
8c7b6756e160130e8f3db47f20c3c14fa2a8e804b8a14288a3be10ac111fe68dd67c05195909f04570d2583063067ed80d5193d152897ec2c0db9748e739ecab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
0185124594eced765453c944c8845502

SHA1
9bfdeb429577a43d3ca47b629f2aad5cb4d8e83b

SHA256
c252dd993419a40d998df88c3eafc8cd0c34da781b8f1785b9bb96cc28bece45

SHA512
77de687f4dee558c07628ba6d03c019a5f7b0135c2c0cf2a8efd1168bdae7f2725fa5c6d2f4347754c5964af2d35e06661ac7e90d20ee1a54f88ec1f3465766f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
6474b1ac8c5b4eb6f6bed36e2dca39e0

SHA1
0d4d28ebfb054c9b30fad9b97b6fba70dd63b5f2

SHA256
9cd5e88c1405741016e48e0139a641818fd99ef00c7288b9d70a7f1ec95e11b0

SHA512
beab4b6148ac5921d3593dd6013eac019c9253ccca6a3a704ec66893598977f379be1a18affc1a8a673817937356532c97ee0a46df86789f9d5cd58279dfd581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5422490a96fd8bef3ea88187ad8fe6c3

SHA1
64216631022acb9daca6a6f3944bf228f1a89484

SHA256
c61e4ac2b4658b438f78987d8051725afd231f6deec385e8ffb3130d7d021468

SHA512
990e4be10cc0d16deac17f20871060d7053c4861dad6315d0fc01e099e49086712434e47f7758993c6c239d166010a8e14f9dab556f52ff031974d4f03ac524c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
128af65b55b4f995e998c6ff87966597

SHA1
33fa63f55e52300f781aa7187e2757ca488aa7bc

SHA256
b4267e955a855833e61771dc69f248f77c838bace204f73c652a688c8b78f8e1

SHA512
c75a4cee7cb427c0d89f5033403a09a57601dadcfb3b7b62472e58345e7e976886e7792f11dc05e938540aca662d1127e7f076530caa2f2b6e43fa7409abc85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
68902136e86d2b8c532373fa783df529

SHA1
08dceb631de23e64e3798505cf5827743218f999

SHA256
a293ccb1064642c81cf07791388dc715bd9b2f38f39608223233f65d65db0702

SHA512
c9b041ba55be4853ebc96b56efe2df9a54ed29a984cdb821ae23dfc5accca8e64347d950acfb224325a372a235278ca087de47068196b9f8fb02922293ccfb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
90fa4cd8ac7419a7bcfb494533c1aea5

SHA1
5ba9b560acf62beedc92021e53bb1bed1c9cedf6

SHA256
449c988f8d726c411c843110d7b30595a91c040e841742281fceb9ed00f4a279

SHA512
b0444408df64821a293b50e9d8a27c16509e65162a9a436796743586f8fe3da223ad2df1afaef216c9084c6e99e676d18b97d9144ff5136077f5d314a3acc48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b016.TMP

Filesize
2KB

MD5
70410b1c88efe00e8a5ceb9b7da701c9

SHA1
53c674602bd0edb98b835e8979ccf7ee3c36aa18

SHA256
33278cd933ee067ae4583b39f235f23b61f3b3aa6564ac6b750cbdb31b9e9844

SHA512
db5752db92aab3051296849f1655236da2f029d8ded1b2cbddc21c8467517fa24e10a95da19bc3d67966e483a4a41729a184149642ba5f533c50a0c846397bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f2d7b00684d1bdd731d62877bd4b4da7

SHA1
362e42a433b64be0ebd9616076718f66393e732b

SHA256
92968247bafe8044db8eae53240bbe488aef16e3f84c6315b0c983359cbff79c

SHA512
99fa13ca0397be4be844ba77a4e3aef5d96d469218cc01b7e0266a5a95aa65f4467d1fbfb2874e7af3ff947a47f158f0d698afbbbef1c7e4b5070c0e0ded2266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5fa7e292b8a0f086397e1803291fb61b

SHA1
19a355c4296c88daec6c3cf89399d005ec02ca12

SHA256
0681d0f0f79660bafed52e1a46f736d53a9fe61eaaae5032f4f144611a902229

SHA512
dcb162baddfce5ceef3762c30b819c391e29972595833784025d02099cdae002836924708311160985a3affe8b5dc4121f3305e122b7d3088b5eb21cea9b71ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ui-agent\08838258-1130-4c59-60e2-cd2ac556c2ac.run\__sentry-breadcrumb1

Filesize
2KB

MD5
8006b02a1bca6ef9deb32340b5292075

SHA1
85299a26bfc633e83ee6497987c434e8bbffc377

SHA256
7927e74b965c88574571f2a967ddbe05880fc6601ca892cc4507b29cfbe2a779

SHA512
95507e855e1afe8b4fd89748587862d4068bef54e6c87a7b05f4286505db75b3628d9ca05d536966c4bb14fca7196d711121873f2c9d257171fe6e4339e1ffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ui-agent\08838258-1130-4c59-60e2-cd2ac556c2ac.run\__sentry-breadcrumb1

Filesize
1KB

MD5
81c944203214c0c55a6f2a5e8767fb3e

SHA1
df5f91d71ffdb873c2f4208361e0571c93611b37

SHA256
547ae534e3692b9fb9aaa522392293ca7f0f9942ac9c004cf030785635bfb1ac

SHA512
b2aa5b92ab427d6b8b1fd76b599f882faaea92fa8a6d2cf740289546e8a9ebd6b865b106eaed4bf18fb096d3cc1effde9487004ac99bd411e0b49f855828dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointToolID.err

Filesize
55B

MD5
8a2a8069d6d2dc50396c617358b5a547

SHA1
82336f196d7158d98a3c130568dc65198e74ac67

SHA256
2a28a97c4e0309d8de301767bcabb1e67b1418959929c2a3e2adba3667f9cb8f

SHA512
ddd78ea2d4a24e8c52759b23b505a9dd6694fd235b3ca77d49d9c3aa30b4d81fee60483b2ba6e27d66e92c457d62c4043d6de57362cd5957653f9988c2e22604

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTool_MULT.err

Filesize
6B

MD5
8f02b39711ca33b0fef856c74bee2867

SHA1
e8a0f9cd2bfa6b2978df284151faa006c9409559

SHA256
f07029b11dd6d731664feea3fe6bcfb4d8b05555e14aca9fe078e63002fb95ac

SHA512
f149517e9dce8051f70e25a81ef09c23e1db3feb0f554585fa33b4b33a1c95ecb6f61c1c42f89270616021b2d4c0e563274a700dbabc5be7d90e9ca2dbd77671

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
6512bd43d9caa6e02c990b0a82652dca

SHA1
17ba0791499db908433b80f37c5fbc89b870084b

SHA256
4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8

SHA512
74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
1c383cd30b7c298ab50293adfecb7b18

SHA1
972a67c48192728a34979d9a35164c1295401b71

SHA256
9f14025af0065b30e47e23ebb3b491d39ae8ed17d33739e5ff3827ffb3634953

SHA512
7a4f07ef7ac81ec31e04d55faffe33bdde93ec2398c338760e0d98adab7ba5acf2c39b2da1782f45e8a5a4d337dedcc647afebddd531782af42bafae98ce7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
c0c7c76d30bd3dcaefc96f40275bdc0a

SHA1
e1822db470e60d090affd0956d743cb0e7cdf113

SHA256
1a6562590ef19d1045d06c4055742d38288e9e6dcd71ccde5cee80f1d5a774eb

SHA512
e62b01e8497ab6b7d89432599e21804eca278bb4a9c4b6ef5f7bae00bd5e45ae6c8cf3a18b74296f9a8e69cd2f416a8f41eeb2128f4e280ecf438ffef6244e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
6f4922f45568161a8cdf4ad2299f6d23

SHA1
9e6a55b6b4563e652a23be9d623ca5055c356940

SHA256
4ec9599fc203d176a301536c2e091a19bc852759b255bd6818810a42c5fed14a

SHA512
f107ba2da059fa640eccb9533e859a6435f6b83aa2e0636a47444dfdcde33a6e1f3cc1c9437bcfd42675af265a0d0b9d66c86c9e66347aa41534204745e41fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
735b90b4568125ed6c3f678819b6e058

SHA1
4d89d294cd4ca9f2ca57dc24a53ffb3ef5303122

SHA256
49d180ecf56132819571bf39d9b7b342522a2ac6d23c1418d3338251bfe469c8

SHA512
ce4dd661e4d69073c7999282048ea9ee91932db0d699f8b13b2db70fe532d987ac4a0aef309b82e1ad2aa6c2f2f60473093cd1e399a737cff3f9e70585d36be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
fbd7939d674997cdb4692d34de8633c4

SHA1
d54ad009d179ae346683cfc3603979bc99339ef7

SHA256
f74efabef12ea619e30b79bddef89cffa9dda494761681ca862cff2871a85980

SHA512
bc7dea130d219f9d1097a174eb56df348da86f1080c5e5c1ff9e9ef4c4204640ba01b946f3a2fa8ea8adcf2a099e76ccb58d8632c7c51b1d42c5d4f72ce09413

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
fe9fc289c3ff0af142b6d3bead98a923

SHA1
7d7116e23efef7292cad5e6f033d9a962708228c

SHA256
bbb965ab0c80d6538cf2184babad2a564a010376712012bd07b0af92dcd3097d

SHA512
3414d7bfdde8010a3aad2b5f62144cd1daedd4d88db916955b3bc9c12a72c8b6907bf7c5f2645d68de9422d3a5c7aecdecdfe70355864164f4faafeb1a6efb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
43ec517d68b6edd3015b3edc9a11367b

SHA1
1d513c0bcbe33b2e7440e5e14d0b22ef95c9d673

SHA256
5316ca1c5ddca8e6ceccfce58f3b8540e540ee22f6180fb89492904051b3d531

SHA512
a4a3cd6ad27b0a593f5c188086978992fef71b22aa5e4211646c62c9c031dc32e301c56a3513ca811b2725eca01e09f7eefafaa65af129050beea4938ffa18ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioEndPointTrace.err

Filesize
2B

MD5
8613985ec49eb8f757ae6439e879bb2a

SHA1
2d0c8af807ef45ac17cafb2973d866ba8f38caa9

SHA256
69f59c273b6e669ac32a6dd5e1b2cb63333d8b004f9696447aee2d422ce63763

SHA512
62b09abf6d9f2846c1785343a14449c125b8955c2445171a8bd76af58c874fdf1552070145ead76e36da2869c740b98a5ee900d87403ece014ca438fbdabaac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51tgqmnl.al1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipaddress.info

Filesize
23B

MD5
e3b70d07b6755fc15f9b79cfca10d6eb

SHA1
426bc0fa167f977f847a10b28a3c29eafcfb75c7

SHA256
d324584cc9bb33026789ee7fd6417cc577f0498b80d953ad505deabdf715499a

SHA512
8f3dfd1fb2863d4fc021c5bf2672ff696d3fc9ec0cb520d182729fb96d29a5ad6bd3ac6cb508b640700da89d430f4d664903385d2d5e11a6e2e61800046d9470

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\bg-bottom.png

Filesize
4KB

MD5
3ada9688e90538e60978fb6ee09041fe

SHA1
91cf49d4a1c98b5280c0ca9c37d2a93a65bb427c

SHA256
ff17916663af2e4b08def48861eb38e8cd2ab4e4317e64ddab205803c9bdfad8

SHA512
c77ae881b18a91e4870d7e94a5b2f63c43cb455ae28244526fb27e603e1c21f83662b044856adbfd4d63056c06d288e28ba68ef97d335310032f4f737c577138

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\bg-inner.png

Filesize
6KB

MD5
a034eeaf19bb82b2ae63f4fa10c26476

SHA1
617c9ef4b889e424e754574d62649f04c97bcc67

SHA256
8fe4a3f95d5309e692c4142f460bebe4e4e24844f5a2071d466bd964c5d04dcf

SHA512
c1ffd444da1378620428b374501de974a33e898e38a9d94e88ee5977951aba89fbad033ffbac65051e021fb96dfa9039872f8dc6441de1dfea01c39c8a8ecb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\bg-top.png

Filesize
20KB

MD5
220fe6e00519a633d9ad7d1d50adc4c7

SHA1
cfcadd75996d6f1cb42c43480d24e52dd72bd917

SHA256
bdc753b2b19ee8b573b8e676f18dae42494b99b6bd738194dcdd67f244085f36

SHA512
1f00db2aab3585aff016188f12f953e832d027161076887cde42b99dab581e2396c9bfb919c43e01fd8c823f79a81425238a8c5235b47be55d7dfdcc1d190ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BABMS.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\voicemodcon.err

Filesize
2B

MD5
33e75ff09dd601bbe69f351039152189

SHA1
0a57cb53ba59c46fc4b692527a38a87c78d84028

SHA256
59e19706d51d39f66711c2653cd7eb1291c94d9b55eb14bda74ce4dc636d015a

SHA512
edbd48c836f826b5ed8d62b401cd19674ef1b8627b9c68a4639819a8564f57426c632b7c1d3dee8209c48c2396da0a3a08d160617f7291a1186ca6d9de5db272

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4a80fd1f-069a-5a4e-af7d-4534bd7e0f46}\SET25FE.tmp

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4a80fd1f-069a-5a4e-af7d-4534bd7e0f46}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4a80fd1f-069a-5a4e-af7d-4534bd7e0f46}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\VoicemodV3\browserCache\persistent\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\VoicemodV3\browserCache\persistent\TransportSecurity

Filesize
370B

MD5
55af87ca31f858e6c226946fcf80b75c

SHA1
c11b5c5ad03ec0076aeae35a651c1cef830828fc

SHA256
75e81b65ef047b1db6acde7c2856336f99b558bc1f7a1bee5cade7746029e1c0

SHA512
7fd3dc7ba3aee3de0ab5288b576fe6a35e8a5eb6d6fac7deaf2d7dbbaa62d59d7e7775ec4a533ece50478902a5487bf4688332354f9edcc34d83995c50041f96

Download Submit
C:\Users\Admin\AppData\Local\VoicemodV3\browserCache\persistent\TransportSecurity~RFe5a087d.TMP

Filesize
203B

MD5
0c4c0b83ae1c821a5057ed64334560ec

SHA1
d697a4692ae800f158b629028d5874daa6f087d2

SHA256
7e31606235d985b7f3b5e48e5440516bcc789691714c0e796ff52f151aa5bf75

SHA512
a18ff345da987f008860ceaab3e5c71a4ae748373a4392abebb58369b25a805088712c8498231fbfbfd0ca52bbf5b2b22a99125ce37698e34ef7042b8dbd58f2

Download Submit
memory/2092-2406-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2092-1119-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2092-1234-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3916-2331-0x00000146FA5F0000-0x00000146FA614000-memory.dmp

Filesize
144KB

Download
memory/3916-2330-0x00000146FA5F0000-0x00000146FA61A000-memory.dmp

Filesize
168KB

Download
memory/3972-2364-0x00007FFE71E80000-0x00007FFE72373000-memory.dmp

Filesize
4.9MB

Download
memory/3972-2365-0x00007FFE71E80000-0x00007FFE72373000-memory.dmp

Filesize
4.9MB

Download
memory/3972-2363-0x00007FFE73230000-0x00007FFE737F1000-memory.dmp

Filesize
5.8MB

Download
memory/4036-2459-0x00007FFE93E60000-0x00007FFE93E61000-memory.dmp

Filesize
4KB

Download
memory/4036-2463-0x00007FFE71E80000-0x00007FFE72373000-memory.dmp

Filesize
4.9MB

Download
memory/4036-2462-0x00007FFE57AD0000-0x00007FFE58AD0000-memory.dmp

Filesize
16.0MB

Download
memory/4036-2461-0x00007FFE71E80000-0x00007FFE72373000-memory.dmp

Filesize
4.9MB

Download
memory/4036-2460-0x00007FFE93BD0000-0x00007FFE93BD1000-memory.dmp

Filesize
4KB

Download
memory/4036-2458-0x00007FFE95800000-0x00007FFE95801000-memory.dmp

Filesize
4KB

Download
memory/4476-1745-0x0000021A086D0000-0x0000021A086F2000-memory.dmp

Filesize
136KB

Download
memory/6304-1757-0x00000000036A0000-0x00000000036AE000-memory.dmp

Filesize
56KB

Download
memory/6304-1236-0x00000000036A0000-0x00000000036AE000-memory.dmp

Filesize
56KB

Download
memory/6304-1138-0x00000000036A0000-0x00000000036AE000-memory.dmp

Filesize
56KB

Download
memory/6304-1193-0x00000000038B0000-0x00000000039F0000-memory.dmp

Filesize
1.2MB

Download
memory/6304-1203-0x00000000038B0000-0x00000000039F0000-memory.dmp

Filesize
1.2MB

Download
memory/6304-1198-0x00000000038B0000-0x00000000039F0000-memory.dmp

Filesize
1.2MB

Download
memory/6304-2405-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/6304-1213-0x00000000038B0000-0x00000000039F0000-memory.dmp

Filesize
1.2MB

Download
memory/6304-1208-0x00000000038B0000-0x00000000039F0000-memory.dmp

Filesize
1.2MB

Download
memory/6304-2339-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/6304-1235-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/6304-1327-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/6304-1756-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/6324-2308-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2309-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2310-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2320-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2319-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2318-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2317-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2316-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2315-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download
memory/6324-2314-0x0000024A8D780000-0x0000024A8D781000-memory.dmp

Filesize
4KB

Download