afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup.exe
Size

22.2MB
MD5

2c74a59f3a312c9003e3bdf2f458c87f
SHA1

97b1ede9c186ea36a74bceb1bf5e5689aad99086
SHA256

afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d
SHA512

b5e8810733694aa773c4c3b8a4063e5fddd962b64d2ad697223ddeb7337f09e8c21fc1efdb2c13c854f2e6884940fac217338e0839fd21d2b4db3c2da031a392
SSDEEP

393216:D2MvvQScyvXuaXVTwkBgoEMNBrDXLuzLYzCdcv8p5UPxaMQlBf4PrE:SMvVcysoEcLuzLig5p5UPxtyAP4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SETEDF5.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SETEDF5.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File created	C:\Windows\system32\drivers\SETEF0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SETEF0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup.tmp

Downloads MZ/PE file

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBD4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBA3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBA4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBA3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\vmdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBA4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d1a4a806-ccd8-3049-a021-a4a12cefb9d5}\SETEBD4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.inf	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Voicemod Desktop\lib\is-8UC9G.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-18OPL.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-K0IRI.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-B7HEI.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-RPMBP.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-0T2PH.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-01VFE.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-OLFHV.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-8Q087.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\devcon.exe	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-NPQ3L.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-IIMSM.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\DriverPackageUninstall.exe	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\SimpleConverter.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-3P723.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-028MU.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\SharpDX.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-7FEFK.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\uninstalldriver.log	cmd.exe
File opened for modification	C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-69LS8.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\pt\is-RC58J.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-LGN7C.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-BQH1N.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-M5V61.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-7C173.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-H54GQ.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-RQMAD.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\NAudio.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\RawInputProcessor.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\defaultdevices.txt	SaveDefaultDevices.exe
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-U29IJ.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\unins000.msg	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\pt\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-CJNU3.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-66AIU.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-B0S10.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-V8HAI.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-70QIA.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodShockets.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-MCKUJ.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\unins000.dat	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Fleck.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-6SG8J.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-AOH2F.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-4DJQ1.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-QM3Q5.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll	VoicemodSetup.tmp

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem1.PNF	devcon.exe
File created	C:\Windows\INF\oem2.PNF	devcon.exe
File created	C:\Windows\INF\c_media.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 14 IoCs

pid	Process
3972	VoicemodSetup.tmp
4360	vc_redist.x64.exe
3712	vc_redist.x64.exe
524	vc_redist.x86.exe
2436	vc_redist.x86.exe
1464	SaveDefaultDevices.exe
4524	devcon.exe
4740	devcon.exe
2196	devcon.exe
4068	VoicemodDesktop.exe
4368	VoicemodDesktop.exe
3864	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Loads dropped DLL 26 IoCs

pid	Process
3972	VoicemodSetup.tmp
3712	vc_redist.x64.exe
2436	vc_redist.x86.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3972	VoicemodSetup.tmp
3972	VoicemodSetup.tmp
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4368	VoicemodDesktop.exe
4368	VoicemodDesktop.exe
3864	VoicemodDesktop.exe
3864	VoicemodDesktop.exe
3864	VoicemodDesktop.exe
4368	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeAuditPrivilege	3236	svchost.exe
Token: SeSecurityPrivilege	3236	svchost.exe
Token: SeLoadDriverPrivilege	4740	devcon.exe
Token: SeRestorePrivilege	1376	DrvInst.exe
Token: SeBackupPrivilege	1376	DrvInst.exe
Token: SeRestorePrivilege	1376	DrvInst.exe
Token: SeBackupPrivilege	1376	DrvInst.exe
Token: SeRestorePrivilege	1376	DrvInst.exe
Token: SeBackupPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	2196	devcon.exe
Token: SeRestorePrivilege	2928	DrvInst.exe
Token: SeBackupPrivilege	2928	DrvInst.exe
Token: SeRestorePrivilege	2928	DrvInst.exe
Token: SeBackupPrivilege	2928	DrvInst.exe
Token: SeRestorePrivilege	2928	DrvInst.exe
Token: SeBackupPrivilege	2928	DrvInst.exe
Token: SeLoadDriverPrivilege	2928	DrvInst.exe
Token: SeLoadDriverPrivilege	2928	DrvInst.exe
Token: SeLoadDriverPrivilege	2928	DrvInst.exe
Token: SeLoadDriverPrivilege	2928	DrvInst.exe
Token: SeDebugPrivilege	4068	VoicemodDesktop.exe
Token: SeDebugPrivilege	4368	VoicemodDesktop.exe
Token: SeDebugPrivilege	3864	VoicemodDesktop.exe
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE
Token: 33	4068	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	4068	VoicemodDesktop.exe
Token: SeDebugPrivilege	3252	VoicemodDesktop.exe
Token: 33	3252	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	3252	VoicemodDesktop.exe
Token: SeDebugPrivilege	4836	VoicemodDesktop.exe
Token: 33	4836	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	4836	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
3972	VoicemodSetup.tmp
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4068	VoicemodDesktop.exe
4068	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
3252	VoicemodDesktop.exe
4836	VoicemodDesktop.exe
4836	VoicemodDesktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3972	2192	VoicemodSetup.exe	93
PID 2192 wrote to memory of 3972	2192	VoicemodSetup.exe	93
PID 2192 wrote to memory of 3972	2192	VoicemodSetup.exe	93
PID 3972 wrote to memory of 4360	3972	VoicemodSetup.tmp	101
PID 3972 wrote to memory of 4360	3972	VoicemodSetup.tmp	101
PID 3972 wrote to memory of 4360	3972	VoicemodSetup.tmp	101
PID 4360 wrote to memory of 3712	4360	vc_redist.x64.exe	102
PID 4360 wrote to memory of 3712	4360	vc_redist.x64.exe	102
PID 4360 wrote to memory of 3712	4360	vc_redist.x64.exe	102
PID 3972 wrote to memory of 524	3972	VoicemodSetup.tmp	104
PID 3972 wrote to memory of 524	3972	VoicemodSetup.tmp	104
PID 3972 wrote to memory of 524	3972	VoicemodSetup.tmp	104
PID 524 wrote to memory of 2436	524	vc_redist.x86.exe	105
PID 524 wrote to memory of 2436	524	vc_redist.x86.exe	105
PID 524 wrote to memory of 2436	524	vc_redist.x86.exe	105
PID 3972 wrote to memory of 1464	3972	VoicemodSetup.tmp	106
PID 3972 wrote to memory of 1464	3972	VoicemodSetup.tmp	106
PID 3972 wrote to memory of 4444	3972	VoicemodSetup.tmp	108
PID 3972 wrote to memory of 4444	3972	VoicemodSetup.tmp	108
PID 4444 wrote to memory of 1144	4444	cmd.exe	110
PID 4444 wrote to memory of 1144	4444	cmd.exe	110
PID 1144 wrote to memory of 4524	1144	cmd.exe	111
PID 1144 wrote to memory of 4524	1144	cmd.exe	111
PID 4444 wrote to memory of 4740	4444	cmd.exe	112
PID 4444 wrote to memory of 4740	4444	cmd.exe	112
PID 3236 wrote to memory of 1048	3236	svchost.exe	114
PID 3236 wrote to memory of 1048	3236	svchost.exe	114
PID 3236 wrote to memory of 1376	3236	svchost.exe	115
PID 3236 wrote to memory of 1376	3236	svchost.exe	115
PID 4444 wrote to memory of 2196	4444	cmd.exe	117
PID 4444 wrote to memory of 2196	4444	cmd.exe	117
PID 3236 wrote to memory of 2928	3236	svchost.exe	118
PID 3236 wrote to memory of 2928	3236	svchost.exe	118
PID 3972 wrote to memory of 4068	3972	VoicemodSetup.tmp	119
PID 3972 wrote to memory of 4068	3972	VoicemodSetup.tmp	119
PID 4068 wrote to memory of 620	4068	VoicemodDesktop.exe	129
PID 4068 wrote to memory of 620	4068	VoicemodDesktop.exe	129
PID 4068 wrote to memory of 636	4068	VoicemodDesktop.exe	131
PID 4068 wrote to memory of 636	4068	VoicemodDesktop.exe	131
PID 4068 wrote to memory of 4720	4068	VoicemodDesktop.exe	133
PID 4068 wrote to memory of 4720	4068	VoicemodDesktop.exe	133
PID 4068 wrote to memory of 3032	4068	VoicemodDesktop.exe	135
PID 4068 wrote to memory of 3032	4068	VoicemodDesktop.exe	135
PID 4068 wrote to memory of 4396	4068	VoicemodDesktop.exe	137
PID 4068 wrote to memory of 4396	4068	VoicemodDesktop.exe	137
PID 4068 wrote to memory of 4080	4068	VoicemodDesktop.exe	139
PID 4068 wrote to memory of 4080	4068	VoicemodDesktop.exe	139
PID 4068 wrote to memory of 4804	4068	VoicemodDesktop.exe	141
PID 4068 wrote to memory of 4804	4068	VoicemodDesktop.exe	141
PID 4068 wrote to memory of 2960	4068	VoicemodDesktop.exe	143
PID 4068 wrote to memory of 2960	4068	VoicemodDesktop.exe	143
PID 4068 wrote to memory of 2360	4068	VoicemodDesktop.exe	145
PID 4068 wrote to memory of 2360	4068	VoicemodDesktop.exe	145
PID 4068 wrote to memory of 4320	4068	VoicemodDesktop.exe	147
PID 4068 wrote to memory of 4320	4068	VoicemodDesktop.exe	147
PID 4068 wrote to memory of 3392	4068	VoicemodDesktop.exe	149
PID 4068 wrote to memory of 3392	4068	VoicemodDesktop.exe	149
PID 4068 wrote to memory of 4440	4068	VoicemodDesktop.exe	151
PID 4068 wrote to memory of 4440	4068	VoicemodDesktop.exe	151
PID 4068 wrote to memory of 3520	4068	VoicemodDesktop.exe	153
PID 4068 wrote to memory of 3520	4068	VoicemodDesktop.exe	153
PID 4068 wrote to memory of 3188	4068	VoicemodDesktop.exe	155
PID 4068 wrote to memory of 3188	4068	VoicemodDesktop.exe	155
PID 4068 wrote to memory of 3452	4068	VoicemodDesktop.exe	157

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\is-R1U0U.tmp\VoicemodSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R1U0U.tmp\VoicemodSetup.tmp" /SL5="$100120,22991991,87040,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x64.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\Temp\{03AF1AD4-A52C-408B-985B-DC9630823CD9}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{03AF1AD4-A52C-408B-985B-DC9630823CD9}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3712
- - C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x86.exe
    "C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x86.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\Temp\{8E28BC0C-A49B-47BB-A1BA-44DD84E098A8}\.cr\vc_redist.x86.exe
      "C:\Windows\Temp\{8E28BC0C-A49B-47BB-A1BA-44DD84E098A8}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2436
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:1464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "devcon.exe dp_enum"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
        
        devcon.exe dp_enum
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:4524
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon install vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4740
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon update vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:2196
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-alien-vocoder*.wav
      4⤵
      PID:620
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-background*.wav
      4⤵
      PID:636
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-vocoder*.wav
      4⤵
      PID:4720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-aphonic-vocoder*.wav
      4⤵
      PID:3032
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-beach*.wav
      4⤵
      PID:4396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-capella*.wav
      4⤵
      PID:4080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-reggae*.wav
      4⤵
      PID:4804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-rock*.wav
      4⤵
      PID:2960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cave*.wav
      4⤵
      PID:2360
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-chase*.wav
      4⤵
      PID:4320
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-radio*.wav
      4⤵
      PID:3392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background*.wav
      4⤵
      PID:4440
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background-in*.wav
      4⤵
      PID:3520
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-background*.wav
      4⤵
      PID:3188
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-vocoder*.wav
      4⤵
      PID:3452
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-background*.wav
      4⤵
      PID:4948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-vocoder*.wav
      4⤵
      PID:4368
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-harmony-vocoder*.wav
      4⤵
      PID:2140
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-in*.wav
      4⤵
      PID:3020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-loop*.wav
      4⤵
      PID:1808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-bee*.wav
      4⤵
      PID:2788
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-growl*.wav
      4⤵
      PID:4396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-leopard*.wav
      4⤵
      PID:4336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-tiger*.wav
      4⤵
      PID:2212
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-magic-chords-vocoder*.wav
      4⤵
      PID:1392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-background*.wav
      4⤵
      PID:3612
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-vocoder*.wav
      4⤵
      PID:1048
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-possessed-background*.wav
      4⤵
      PID:3840
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-background*.wav
      4⤵
      PID:1236
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-vocoder*.wav
      4⤵
      PID:1840
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-paris*.wav
      4⤵
      PID:4884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-ulala*.wav
      4⤵
      PID:1640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-santa-background*.wav
      4⤵
      PID:1028
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sleepyhead*.wav
      4⤵
      PID:1212
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spacemen-background*.wav
      4⤵
      PID:1680
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-ovation-background*.wav
      4⤵
      PID:4600
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-protest-background*.wav
      4⤵
      PID:2268
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-background*.wav
      4⤵
      PID:3260
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-vocoder*.wav
      4⤵
      PID:4804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-action-background*.wav
      4⤵
      PID:2960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-drama-background*.wav
      4⤵
      PID:2548
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-happy-background*.wav
      4⤵
      PID:1616
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-hall*.wav
      4⤵
      PID:4292
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-playtime*.wav
      4⤵
      PID:1960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sword-background*.wav
      4⤵
      PID:4544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-underwater*.wav
      4⤵
      PID:4756
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-1*.wav
      4⤵
      PID:2620
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-2*.wav
      4⤵
      PID:4816
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-3*.wav
      4⤵
      PID:3516
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-4*.wav
      4⤵
      PID:4788
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-1*.wav
      4⤵
      PID:972
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-2*.wav
      4⤵
      PID:3032
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-3*.wav
      4⤵
      PID:3544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-4*.wav
      4⤵
      PID:2760
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-background*.wav
      4⤵
      PID:1144
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder*.wav
      4⤵
      PID:4524
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder2*.wav
      4⤵
      PID:4928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cooltune-vocoder*.wav
      4⤵
      PID:4372
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-punk-vocoder*.wav
      4⤵
      PID:3968
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx01*.wav
      4⤵
      PID:4740
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx02*.wav
      4⤵
      PID:3964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx03*.wav
      4⤵
      PID:3136
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx04*.wav
      4⤵
      PID:3348
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx05*.wav
      4⤵
      PID:4368
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx06*.wav
      4⤵
      PID:2140
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx07*.wav
      4⤵
      PID:3020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx08*.wav
      4⤵
      PID:4228
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx09*.wav
      4⤵
      PID:4348
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx10*.wav
      4⤵
      PID:3972
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx11*.wav
      4⤵
      PID:1464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx12*.wav
      4⤵
      PID:4316
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx13*.wav
      4⤵
      PID:2980
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx14*.wav
      4⤵
      PID:2548
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx15*.wav
      4⤵
      PID:4928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar1*.wav
      4⤵
      PID:4292
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar2*.wav
      4⤵
      PID:1972
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar3*.wav
      4⤵
      PID:4544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar4*.wav
      4⤵
      PID:2040
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar5*.wav
      4⤵
      PID:2728
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar6*.wav
      4⤵
      PID:2916
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky1*.wav
      4⤵
      PID:4264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky2*.wav
      4⤵
      PID:3080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky3*.wav
      4⤵
      PID:2884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky4*.wav
      4⤵
      PID:3464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky5*.wav
      4⤵
      PID:524
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-exo*.wav
      4⤵
      PID:3252
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-gameover-amb*.wav
      4⤵
      PID:1192
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-outofrange*.wav
      4⤵
      PID:4432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder1*.wav
      4⤵
      PID:4332
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder2*.wav
      4⤵
      PID:3392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder3*.wav
      4⤵
      PID:4724
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part1*.wav
      4⤵
      PID:4516
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part2*.wav
      4⤵
      PID:1552
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx16*.wav
      4⤵
      PID:4892
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx17*.wav
      4⤵
      PID:3864
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx18*.wav
      4⤵
      PID:1684
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx19*.wav
      4⤵
      PID:3984
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx20*.wav
      4⤵
      PID:636
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-bass*.wav
      4⤵
      PID:4412
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-octava*.wav
      4⤵
      PID:4920
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-quinta*.wav
      4⤵
      PID:896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-tercera*.wav
      4⤵
      PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d2a4b4f-0e1f-9f43-bf0d-54fda2369361}\vmdrv.inf" "9" "499a51a03" "000000000000013C" "WinSta0\Default" "0000000000000158" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1048
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "000000000000013C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "0000000000000174"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c4a04becc9e7419ba6dafe312dc036c1 /t 436 /p 4068
1⤵
PID:4600

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6d8c97cec35b43ae89d2eaf791eb4082 /t 2244 /p 3252
1⤵
PID:928

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
2.8MB

MD5
60271d3806a3def814980266fd07f32d

SHA1
b862f3c346ef7d5834c5196dd5596c39296ceb17

SHA256
d2a3683c8078509b09d97da2d190dc9c19f52d22003e31bf29e352beb611be91

SHA512
5c351025379106f857c6a67defea313ab625a419c6bf10ddc6d6e9155826e990181b2e400ced40a6182893cae706a999f3b7516549ebd17b50f0f2070efc4408

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
8KB

MD5
4bff4b706028b0c1a4493478a41b6075

SHA1
0ebaa8b02aafee8a45b282c09bc59525e81eb2ee

SHA256
71245f7de6f8cd1855194be81c191f8435fbe62b780f40fadfbce1efabb21f44

SHA512
10c1b88fea7298610a9a8a78b83319fc8b3299513879031f63292de7c90520ecf3c2009ab8eb00a9f0ee262a4f433d272150db42a7e94fb20bb63b66e06c8f49

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\defaultdevices.txt

Filesize
79B

MD5
0e5eb142f749641ed53bbe3ef1dbe117

SHA1
a6d2fe121719a6b7fb1643ee5943400dc76110bb

SHA256
1858a607f47d5d33bc078209c49257888a1e1d1ffd7efe7c6045c627784de0f3

SHA512
164d12352a1593abcbf373471b36a73fc7674efb6d5673a67380d17da172b8ad0f0e6f307c014d0f0c92e71c344417db089a273086068a89c220440c50bebd49

Download Submit
C:\Program Files\Voicemod Desktop\driver\devcon.exe

Filesize
103KB

MD5
8d54022fb70fd952257ca4ea17efabc6

SHA1
8f0af9538ae263ead5d310b8cf393f46b0e4689e

SHA256
4bee65c38784c64888c12dc35fc706051dcdb32b4949766e83ad260096601812

SHA512
38a020b700b463331918c055bba8cd1e4281231954d854ad9b10d1da746f495afed5b110401266edfeb31416d2b0308209da1391ac0d1401da25546b380df38f

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
110B

MD5
8a8790395e17b81e5638c805d25f1aad

SHA1
da8fa73c457715c8a9c52e93f640bc34983f6a14

SHA256
8d0ee2177712918bde4be1fdba8d87815863d864a993a3361459ce194131f6a3

SHA512
9eb26cd0bc8e0d41ba4acb34eb4e809317dc5f7e1a0f7e6671dd64f6deb7720ffbfaff76b94e24162ddd992582793bb8f94227cd7b59fccb0234d753862fec75

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
90df9e95ac9ce0911012063619c7f6db

SHA1
4d942854cfd3b5e21327a0c8a7366c570ef63a4e

SHA256
883f7763a00f6419f7acc21a1772077e16b432dd1b6d15ba092a3a3a19667bc3

SHA512
6513d48c996f845bf1635552fbda26c68c57a0cfb7dde0e92181378b9724cd69d80b5d0f2e5fea2c9dcca03f668e4da81fbbffbb2c356f301bbee6baddb525bc

Download Submit
C:\Program Files\Voicemod Desktop\driver\vmdrv.inf

Filesize
4KB

MD5
69ffb954ea5d86423e3119b1243245aa

SHA1
21b7dfed35ae606d6dd3a4084a9d2f23d5e0c0fe

SHA256
fdc1514450a4eac615d959e17e527c6d69cfe92871626b39bc38a096a439a45d

SHA512
bc6130d3e989109f246af6c5db4e1a08c6363dacbce25d7dc164c8d4a1f89682b6afb761ef1199d17eb35198b9dc60e6bbbe5c91e37739d42565a8039e5ca410

Download Submit
C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll

Filesize
247KB

MD5
352ae2bf69212f6ed9c83a490b7f3092

SHA1
796dae8aa2cbaf23edbeca952004bc5027c48981

SHA256
bf1e263bc97bdfe32d90471253d9771a132e5cc1546502ed7c8e94548f6472a6

SHA512
c01c753f9cc5aee8c0e8506d8331bd7e7be33d9635a94b9d38d4c019f72cce8ca82c4b4899873d58c150cb9c2000a010cf99a1de9f240af60f609d613b276b1b

Download Submit
C:\Program Files\Voicemod Desktop\lib\Fleck.dll

Filesize
43KB

MD5
6d146f7df192621476283af335fd4180

SHA1
23856ece8d35a46fab20d999baec69b995819ff4

SHA256
65ae6fc064fe4e079fd7a462b79694b22275307723e0127dfe5c33132d30f902

SHA512
7d414ce663f2f1ac115335ab2f9454f6001fa175c71d49c6d09e0c3f3f1003809e56f7fba88a8d04b9e34a8032c3e4d2e467b30d12f7483ec60fee350a2fcef1

Download Submit
C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll

Filesize
42KB

MD5
d67fe5af6345272b8b24e1d4b08732d5

SHA1
863f1b88aa8f8dcfc4e13339951cf12c52a1cbcd

SHA256
8a3871479b26a5da72788eacb4543b32cadc0aacffb82bb7351040d4e4a915ca

SHA512
e670e53a983e3c209a2cf3a9178cfcaba2a125530241f5b86c4d9052598d382c2a69824b2254c269ee716800b43fe3e920020d5cfc1c428f32d79372b0979892

Download Submit
C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll

Filesize
43KB

MD5
366cd5572e467b3b06515cfb4ab036ad

SHA1
156f75191d06905003a7ab811880556af8dad44a

SHA256
f84935be717e1c49a54c1d7f8476243a4d34c0ea90c4ad13afe3f50164ba5f2e

SHA512
96c4d4c8c05478dc124cbaaa3d36b304697edb1d0e7ae197c786f04e76df516cbf093d4aeae8cfeb9182f22c3758e93e242d43e8510935be473c1c0637a03e21

Download Submit
C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll

Filesize
638KB

MD5
f33cbe589b769956284868104686cc2d

SHA1
2fb0be100de03680fc4309c9fa5a29e69397a980

SHA256
973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278

SHA512
ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

Download Submit
C:\Program Files\Voicemod Desktop\lib\RawInputProcessor.dll

Filesize
21KB

MD5
33f6ad87b6d8128b831be2884cb4ab2e

SHA1
e4277426445197a7ae4463b7732ccb282fcecf42

SHA256
ee069a485d30cebc1c56f25d2c1b418c13bf685065f1a3c2976bbec42f5b53b9

SHA512
f7104bc09bc4ce4f773fc2637a0952adef836715a6298545a7124364aaa94124e2cea699672113805911b942758128255394361baa42997f02769b7df454c2e1

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.RawInput.dll

Filesize
24KB

MD5
c424d62f5045d6e2800c7fdef5f1697d

SHA1
434e533928d6da0da41201d6e4b0baa97ac93b91

SHA256
727e4f5e311b1f582bc89ae9e2c3cd585b7952c433b6e7656521bac05811f651

SHA512
0e5a564d9de35eb3747350c4ff7e456cd8b544f89641c7bc7df03008c30ff0eae53b3d5c5744fc736fe9aab27d638455ad221499a2b13f2084cfb602f13fc114

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.dll

Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Program Files\Voicemod Desktop\lib\SimpleConverter.dll

Filesize
10KB

MD5
f39f4d5a10201198b0789e10a915baa6

SHA1
f81e7ffe073217a48adf0d794261aa69ee943ec4

SHA256
f6d536162aed7f088b7d7d4bd18f33373f912cf6c3c2699cd7703ea2eef05cbe

SHA512
c337808b1f8436453f9b46057eb66b206e54d4810a11be11d125b1b92c31ab16d1faa4221d58c5e3813ecc3d7afe28d00a5fb9118d89b9d32558608d4e71d56c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll

Filesize
22KB

MD5
68cb781b645a287646e211ff3133fbe4

SHA1
20f79d9aff52da78a2cd946a1c4c6f5b2cd062d3

SHA256
f99f25bdfa5ea1a40fc219738ea3e56657a2119bd9d07c3961a168a72ab37f9e

SHA512
69b3e636f53e684fb2d1a1a183a8d3131c33d357269f4a009f8f0690c9662dee62b63be1bb79c0aecdc16f3320e616700971a1af5749a1d3af5dde6bf1335269

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll

Filesize
14KB

MD5
67f3a5fd99bc104a01a906df6f5896e3

SHA1
39527769e186278029a6d4303cb3015ac90d5c01

SHA256
8f2c68dd604321d09343b5566b74d72527e78ad717fc41e91d48ce931a8eedb0

SHA512
e46dc143ca5a73ba2215bf7cc5e9c530ea163db55418291bf2f2a8f83ec2084b025e0269f398d92c14f8fc5b182e08ab2868f288c559454c8ab5c517cf393995

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll

Filesize
22.4MB

MD5
a88987bb53e80e790611ead096add25b

SHA1
e4c7965384d4c467f228dcd83eb16754c47377cf

SHA256
0286fcd7d25ae394323ce46b23d800f966e4da4d8441d51d6d74f3943cd69b0f

SHA512
d21069e03636036b8484ec9e37cf5d56468b80b281923ca79607d56cfe7f2befaf1981850702958e07a28d95029bd2f42a1d5bb09c83e5da541dec58ec9c752c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodShockets.dll

Filesize
12KB

MD5
80e49cafaed9e42fed7380ef96f22922

SHA1
f6cb4095d3fbeb4f06f829ab13fe979c64728c7c

SHA256
3c560d555221dc58b10de2edbedab07541b9673e686279c883ee955646096f2c

SHA512
16f02c89b425aa8412d92945ddd1a8a87b78ffabb033a125ee9df5a51430fa2806579c710c7f9832a172a20919dffd33e98eecca512a98b3271053567a17d09c

Download Submit
C:\ProgramData\Voicemod\Temp\sdk-custom-fx01_44100.wav

Filesize
524KB

MD5
2516ae38a1111603415a6e333b774f38

SHA1
5c1803b3e5542a23db25f5fc55afa66ac0cae8dc

SHA256
4312292ed70789b7bbc6363df24ef91f98f19ad47d7458af2468031da23f0a24

SHA512
aa83d86e15fb5eb9ca627f9d35919ad126f2fd0eb107e0de9f1c5bbc9f126405e489549d11b13003ee1ff3c72604f1b7684a8562c4c5efe104d118e938f46d49

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-custom-fx01.dat

Filesize
136KB

MD5
9e00c46f54c86ca14352960177e37b7c

SHA1
b41333fb5f8572d989136fdfc95791a7b5d9d563

SHA256
053c5a457729cf059c6bf023fc693246635b147040066e0953f5b5e119e68037

SHA512
1a2afa13b114e64b24d8823ed2df6d6b2a3829c49f90b09145d2ecc7b92423200e1f61c7dd657c567b3045902ee0e6c252f4d7d5567cdae9d637ee9b53ad8375

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-walkie-terror-1.dat

Filesize
13KB

MD5
0ac77f83d2d00526db401718f13519c2

SHA1
6e1755c5ff69ca23ffd2af543b65fc299bc6a3ca

SHA256
254cca4fe05e8cb0b4d8ddd977258f1e780bb12f6d473e407e8445d1022649a8

SHA512
9336d5dd34e35b5199cc1fbe5cd98ad2d2f2d6fb9926907e8a78121fb58e9c17b320630e0f673bb70b2d1487b84654176ffb12cccb3cf1e7fa5317ce3d1ec64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
471B

MD5
a7817b5c315db4f72f9ebb26ed18bdf5

SHA1
affd9c21e2f158561a6ba3ddc5a38c0cb54b2d53

SHA256
e4cb866f96d9e7ea5059126b80b5ed4060b29b108de63e07e7fc2eb2c09a8a56

SHA512
4483f0aff3e6d53697a6ea51dd1d0fb73703b13a93794ae11973cd25469f530633f53ff73442d0eea3d4fec257fff626eed3fc69e3d64032838bbb0a17c1a656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
408B

MD5
e74f6b8b660711bb242ccd7d03b4798e

SHA1
2419597d66559e30cb4170c067fdf312b54040a0

SHA256
c9acccd3e9f719522eef85d6c0e123883ea878927c27dd13a6ae3253aa9dec5f

SHA512
0261d12656d5e185735e581c26a220f0efd313fa1672713fc9832df8a1a3449eb7697639d621335763427b932317b2949efeba40708357f6dc4f28963112e07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VoicemodDesktop.exe.log

Filesize
1KB

MD5
67022ef4d501993f13a7c907910d2ea2

SHA1
2ae70f9fae494c52f415d442f4fbbbb01280f016

SHA256
d3042c73e34b33a183064b62348c0ed2931768ec0576bf51f3327f9dba085869

SHA512
a4f254356c5e3bef5e8156cf9dbb2c4dbcfbbfe44e73063948671aaa4955966b59e0bd9157612fad18023ce221be926ad58d289b28469f5b3db02b04e6fe7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoicemodSDKDotNET.Amd64.1.3.0.7\VoicemodSDK.dll

Filesize
22.3MB

MD5
6b0543fb8961eeb922ca06caae8352f3

SHA1
8b266885db9a88f2f89078eee5d2b2bd0f5a0918

SHA256
e3dea719f31d200f4e9719d5a8e7e34ff385652bec82c2ee7fbbc48ac888fa1b

SHA512
9cb787d924d61cee4708941d52345e68998aaf230403bef0a1c73e5755f11a6fa19be917d9038617f485d3bc8ef46b90fab0bf3a0e1bb2f292dedba9c6463087

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x64.exe

Filesize
14.6MB

MD5
d87640d43d161241d461949812e91d60

SHA1
1ba9c101bf77557d5ee9da6f967d94e1ca629f00

SHA256
5b0cbb977f2f5253b1ebe5c9d30edbda35dbd68fb70de7af5faac6423db575b5

SHA512
bb15e7465bdfb60ed9379a76c29eac5d76bf18c1f4bcfabc15b1aaf22624b1d389afbcb9f83bf638e2b0adad48cc324f437fad3150fd54c402723d2dd3dc02ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQUG6.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
310f8aadd8055f8b8eba1a6528be7d10

SHA1
3ee9622151e4b50837fcdfac1b085430f0181f4e

SHA256
54ad46ae80984aa48cae6361213692c96b3639e322730d28c7fb93b183c761da

SHA512
2872a30939f7ee20b494806574cf5b8b5a0976f8fe69bdbd77dde2483ce2a9e5458ff3636147e49a449e941a44ca2d79239e3da62fddb69fc5bced8ee1004ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R1U0U.tmp\VoicemodSetup.tmp

Filesize
737KB

MD5
1a9f24ba757fd08f3b4db5570cd1bfd0

SHA1
6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d

SHA256
326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956

SHA512
bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\313i5c5x.newcfg

Filesize
2KB

MD5
a263cda133fc7e71c578973d8ec27e0a

SHA1
dae3464c830a8345cccc446fa39edc57830e4eba

SHA256
cb871f32532538b7b888b2fabe9ee090d9e483bc9cac6d40429ec841dde3aaf6

SHA512
0344e441b60d263e2501fd3ea9604eb4e51ccf707ecfd0535c8e6455cabd6166f90951a49350dc98b8b6414faadf90be9c07df915e830da4713f44c11a0a5201

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\gjvxzajh.newcfg

Filesize
2KB

MD5
7f5fa195fdd20fce8703f870500581a2

SHA1
4070f64f7e9c4bbe4c3c7b3443ff717d7164bf77

SHA256
0f4e54c71d97f7ecae3b207b7a3f9f321875c848086260bdb3f9c0737efcbc9c

SHA512
04f2e423a9b79cdb1cea0915874cc7a1f9dfa97ca7ea3ba5cd43543e9e9772002e7145c60b439886165e857bf4db5c6cfdf806304a7adb84b5104f7a023b2332

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
1KB

MD5
f5d1d77a09bb76993025704570a5e80e

SHA1
ff10df926ede1aced535cfe6b0d256b6352f8c7d

SHA256
08a43262c48fecdb3bdde560898cbfb9ca58530a73cd35610dd5219aed4c4c13

SHA512
0840b15035523e8d8ba148a8298baa7986b8b9812be84de9bee7e15d34fe066768f56b2436905e8206ed4b8e535ab1c3d988ccf20cbe0026bb5218a0b8bbdea8

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
2KB

MD5
75b60a37c2294f7ee81f5ceb0f0d9e47

SHA1
6660304a83f02832df18c83db726eaa8c7a0013e

SHA256
8874e5a12eef4d5651b2b06aeb721cdc691ad1724c37d5fa8e34b89a404070e9

SHA512
214756e4a983ae55aed363e6cad46948143991449cf4b47e115ddd61e60e5c2c682aef1fcd1a0ce63f42c3046a3e581e7b211dba65dcadffc0e7003014937cbc

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
332B

MD5
9fdcac422aba9a832c4e1ba63c4f5633

SHA1
9d702a9454da3907bdd2cdee1cc7a792b25c2c6e

SHA256
733e489330d34542d6f8eca88b68115b6611f7cc4c44abe8433fe190784fce2d

SHA512
d759f45448cf0e9beac03e1c3a967a2d1d80d4155aa78128c33afa62c47f616399cf3c14f087707220e17d63153d17ebc8b9a66fff64f9cadadd9771ffbba56c

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
2fc18ee420d8961aa7bdbd93ece57f2a

SHA1
dd78aca8126fca2e7a7f6954f7d63b71340d74e2

SHA256
6ee64c3f43fbd1b98758cb5f03401abba48457524e839efdd3c02b92039419fb

SHA512
5ffa9248987a1367594555c3d44972e794f6e399ce4f16020caf6fff369aa378fa0dc0b1cc1b8eebf54850cf49d794f002f245208ef825903fe6abcc02abe314

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
1001B

MD5
bd836e208afcc26389fb286a4ca67d0c

SHA1
f91cb4f7dfa4bdd7c96f0e7e58f684b596922658

SHA256
95fd0985fb711a6ef8ce059775ef733bd977910694a2591edce48450ff95346b

SHA512
db63285415edb2115801921b9badddc54b8549cdce1095cf1fdf35d21de9fb0e2829c96f870b09c2cb5e4dd3d5c2447525c307e4130293f448f619f20673e5d1

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
580B

MD5
850b92922b6a569b4da027c1caf7a7cd

SHA1
852e09d5b0ccd4e11e0d8b2c1c084eae560aca07

SHA256
1551dd11ef2a6dd31557ece197d2db5d1a54ba79a71436824f3d6c0a976eda33

SHA512
d23614ac73fd233760cc26ec81418ba77175c56ac20d1cc933da06f79cc367e80a1a2e617c6eef3e120180956bacc749657d4624f9629116c19a5bc9948bb449

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
2KB

MD5
889ee68997ee81b9a3ee511c89f06392

SHA1
2226168e5400b972b33f5902d3468cc31ff711f5

SHA256
031a4050ddf495a5f5269dd640ef343ca8ed003186c1f488ab0440746e9c8733

SHA512
60598aa258c9ecd77063e82c750c7a26d30855e1c934cda9fbab701cbfa2d6bb9bca18c7e1777b61414087c4bc685ac25ff80939c44fdb8189d2c1ecf1c960fc

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
04c9ef507286b7a1cbaf06ad95a8026a

SHA1
8c5fffabeb4bb4189f514f273979aee360a0c475

SHA256
e1a3bb8c40624cf075245d79b2bb03c19f4df141ac8b6ecef59fc8a06d456eca

SHA512
750e6e45344b04ebc6d651983e19fc2da4405d58cbaeb38f414add78f1a4210cc88c37cb737b5456c1075aca052689df7a2f6f8ebaa73e433402ca446d95345a

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
50158ca0730d754f6e26bfbbbcf45748

SHA1
044a3b9a64e4df620d61720713d4996b5f7b3290

SHA256
4960e4d9782116d9d76586d0f44e824dae2ade5d26412b3f2cf5637a190f8e6a

SHA512
2495d174c2c58a5bea99dd8365c11d15631da98b4a1e930798c72f729fb98ac3587e4fca8759b6b9b2ea54c2e0a679dc4d26778a23333f95513dc71d13d4a56e

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
1aa2e6a9055a2dc7fa41bf42f21cac4e

SHA1
fa8b408955bde70c80f8bd12d736d8d029e30dea

SHA256
aba214834f486f8c8f2002263c1e24d572dec8fb1c285496df0e978dfa6700e4

SHA512
81a6ee646fa73bb16f0ad80854bc2884bf75aa2ba02aae3622ade76ec05ef3f3a88748d42c8d91ff3380e8807a1f886ad15d1a78b6980a3d3f9bda774737c8ca

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\ypz5ghko.newcfg

Filesize
2KB

MD5
2fd9456a35a3fee262adc268d4fd5535

SHA1
446df958a581f0de9f68c1f21f23adb1a083ad5b

SHA256
e2148ae6c6e99fa091b0c9d33579b9c03840ae58b84c4419eb95098a0ca66670

SHA512
005eaea06df35248eed68bae5080bfd16ca7065ad2b4bf4994dd41315bf9bd4ae8b5ed4f6355b0fcdfcc2e0cf419191f3559e629167a76657fb46417399ef66a

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\yq2yqleb.newcfg

Filesize
2KB

MD5
976254d9c564c10a628b3a8230f746f9

SHA1
f7bff1acfec4d31940820810a26b60fb9b42417e

SHA256
4d9207ad4769f964096125d144aaea9b9af753a983429c0503612373bc8518f9

SHA512
c69ada54d15f4c18091aef1cf1587dbeb9e8cf5d182a983867658f6cbc6abbb8cd4900c68f3254ba67840669a22429b7141f2590524b3c254bad06cc962f5bb8

Download Submit
C:\Windows\Temp\{03AF1AD4-A52C-408B-985B-DC9630823CD9}\.cr\vc_redist.x64.exe

Filesize
881KB

MD5
77e7adac36b6c0aa3497ab855328742b

SHA1
b14c603c4c5c7fae6e64ae1a3adb73bd2c276dfa

SHA256
8bdb6303852e0321a48156565a5f09a3ecd9f327123542453e0c086d1a9d0afa

SHA512
5ce7a058da003d551373367055760ed49492deab71ac400e39f1ad285139c0d6ea7394c2c2210e6977d123ae4bdbabae9cdc94b77726ded07268ee41765c2f54

Download Submit
C:\Windows\Temp\{1F515FA6-118F-4447-AEBC-1D85C3141752}\.ba\1055\license.rtf

Filesize
177KB

MD5
f1a281f74d3e91d16dd26d1f313cd8a9

SHA1
ddb2ca9032c5a9c091eac53b679f6ba428077b00

SHA256
f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25

SHA512
484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625

Download Submit
C:\Windows\Temp\{1F515FA6-118F-4447-AEBC-1D85C3141752}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{1F515FA6-118F-4447-AEBC-1D85C3141752}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{2C25BB34-F544-4B3A-A796-6DF0CDDDB907}\.ba\1036\license.rtf

Filesize
136KB

MD5
1da77b492870266e67626ce000528425

SHA1
bbde5f2e5c744bf7eb4931ad0be883bd8a89cee2

SHA256
84cfc67f98d7553ab6af43e9b8d89138a9f46d0fd9291a441d7fe73f5c1a9dc6

SHA512
1efbf899fd722d5ebe2b885deb37da601c4291000761ba1825b4a76c2b51d5b69e1e03106ef0e29a108cc6b8ba8ec69ee7c7af641fabdcb1154a35d3dcb263b1

Download Submit
C:\Windows\Temp\{8E28BC0C-A49B-47BB-A1BA-44DD84E098A8}\.cr\vc_redist.x86.exe

Filesize
881KB

MD5
9df0848b2753e9255f1a6b4cdc9a5a3e

SHA1
051469cd9e786b720ef6b70c35a1e184a643f520

SHA256
59089badd61acb47a07748c9018d3a959cf58f07de9902b0c45dffae3e566090

SHA512
518a78e77515b2fb21c5f66a760473a1f8ab5050e9bc65a4715ab178e568079f11f65fc173db59dd021b69fe0b606c42e50bf5f09a34ba2009a7b71e88033452

Download Submit
\??\c:\PROGRA~1\VOICEM~1\driver\vmdrv.sys

Filesize
44KB

MD5
31acfc46ce310b4fa7750c3db047154e

SHA1
d99d6f7d2bad8dcac0516170f9b1c29946eef4f3

SHA256
1f6cbdc32658ffcf48f6a037302f96c515febe16b459eeddd9c5624d5be91182

SHA512
9f1edb81bd70d216afe265ccf8b0ebe3a62f2bb31204339402e250b7e844ae9ed7aba84754d21ddf2f5854e406cb36fac346501d321113c784d54dffb170807a

Download Submit
\??\c:\program files\voicemod desktop\driver\vmdrv.cat

Filesize
10KB

MD5
2a806a9b70eeba9507bba3f6f44aab0b

SHA1
9577336a7c441c6df360a598e89eef7a3c765ff2

SHA256
488b32ba019c0db448d0669f70bdf564d0f4bd23c7f9592d185474b0d62c763a

SHA512
197a4bd6427c8be1d5a1eca2faa98b1cfcddc7bb53210ddb20e5916b55fe5c4064639932042855db6dac371bea30ca13d9403cd4d8679ea093930694cd37980e

Download Submit
memory/2192-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2192-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2192-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2192-427-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3252-855-0x0000028FDACC0000-0x0000028FDCB17000-memory.dmp

Filesize
30.3MB

Download
memory/3252-854-0x0000028FDACC0000-0x0000028FDCB17000-memory.dmp

Filesize
30.3MB

Download
memory/3252-853-0x0000028FDACC0000-0x0000028FDCB17000-memory.dmp

Filesize
30.3MB

Download
memory/3252-808-0x0000028FB7020000-0x0000028FB72F2000-memory.dmp

Filesize
2.8MB

Download
memory/3972-7-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3972-16-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3972-426-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3972-323-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4068-705-0x0000023FBD200000-0x0000023FBD208000-memory.dmp

Filesize
32KB

Download
memory/4068-723-0x0000023FBD340000-0x0000023FBD384000-memory.dmp

Filesize
272KB

Download
memory/4068-470-0x0000023FB86B0000-0x0000023FB86E8000-memory.dmp

Filesize
224KB

Download
memory/4068-471-0x0000023FB8670000-0x0000023FB867E000-memory.dmp

Filesize
56KB

Download
memory/4068-650-0x0000023FBD9A0000-0x0000023FBF7F7000-memory.dmp

Filesize
30.3MB

Download
memory/4068-469-0x0000023FB6C20000-0x0000023FB6C28000-memory.dmp

Filesize
32KB

Download
memory/4068-680-0x0000023FBD9A0000-0x0000023FBF7F7000-memory.dmp

Filesize
30.3MB

Download
memory/4068-464-0x0000023FB86F0000-0x0000023FB9D54000-memory.dmp

Filesize
22.4MB

Download
memory/4068-703-0x0000023FBD1E0000-0x0000023FBD1F0000-memory.dmp

Filesize
64KB

Download
memory/4068-704-0x0000023FBD1F0000-0x0000023FBD1F8000-memory.dmp

Filesize
32KB

Download
memory/4068-459-0x0000023FB6B50000-0x0000023FB6B5C000-memory.dmp

Filesize
48KB

Download
memory/4068-483-0x0000023FBC580000-0x0000023FBC5A2000-memory.dmp

Filesize
136KB

Download
memory/4068-706-0x0000023FBD210000-0x0000023FBD218000-memory.dmp

Filesize
32KB

Download
memory/4068-707-0x0000023FBD230000-0x0000023FBD238000-memory.dmp

Filesize
32KB

Download
memory/4068-708-0x0000023FBD220000-0x0000023FBD228000-memory.dmp

Filesize
32KB

Download
memory/4068-457-0x0000023FB6B10000-0x0000023FB6B22000-memory.dmp

Filesize
72KB

Download
memory/4068-616-0x0000023FBC570000-0x0000023FBC578000-memory.dmp

Filesize
32KB

Download
memory/4068-615-0x0000023FBC560000-0x0000023FBC568000-memory.dmp

Filesize
32KB

Download
memory/4068-472-0x0000023FBC490000-0x0000023FBC4D0000-memory.dmp

Filesize
256KB

Download
memory/4068-611-0x0000023FBC530000-0x0000023FBC53C000-memory.dmp

Filesize
48KB

Download
memory/4068-421-0x0000023FB6A60000-0x0000023FB6B06000-memory.dmp

Filesize
664KB

Download
memory/4068-423-0x0000023F9E000000-0x0000023F9E00A000-memory.dmp

Filesize
40KB

Download
memory/4068-771-0x0000023FBD530000-0x0000023FBD5A6000-memory.dmp

Filesize
472KB

Download
memory/4068-772-0x0000023FBD5B0000-0x0000023FBD5CE000-memory.dmp

Filesize
120KB

Download
memory/4068-419-0x0000023F9DFF0000-0x0000023F9DFFA000-memory.dmp

Filesize
40KB

Download
memory/4068-798-0x00000247C2480000-0x00000247C2606000-memory.dmp

Filesize
1.5MB

Download
memory/4068-802-0x0000023FBD9A0000-0x0000023FBF7F7000-memory.dmp

Filesize
30.3MB

Download
memory/4068-803-0x0000023FBD9A0000-0x0000023FBF7F7000-memory.dmp

Filesize
30.3MB

Download
memory/4068-804-0x0000023FBD9A0000-0x0000023FBF7F7000-memory.dmp

Filesize
30.3MB

Download
memory/4068-613-0x0000023FBFE10000-0x0000023FBFE58000-memory.dmp

Filesize
288KB

Download
memory/4068-614-0x0000023FBC540000-0x0000023FBC54A000-memory.dmp

Filesize
40KB

Download
memory/4068-476-0x0000023FB8690000-0x0000023FB869A000-memory.dmp

Filesize
40KB

Download
memory/4068-480-0x0000023FBC480000-0x0000023FBC488000-memory.dmp

Filesize
32KB

Download
memory/4068-482-0x0000023FBC4F0000-0x0000023FBC502000-memory.dmp

Filesize
72KB

Download
memory/4068-417-0x0000023F9C060000-0x0000023F9C332000-memory.dmp

Filesize
2.8MB

Download