hxxps://www[.]mediafire[.]com/file/s9nhrjlt8sowx5b/Voicemod[.]Pro[.]2[.]6[.]0[.]7[.]rar/file

Analysis

max time kernel
1800s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/s9nhrjlt8sowx5b/Voicemod.Pro.2.6.0.7.rar/file

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4500	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\SET985C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SET985C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SET987A.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET987A.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1300	netsh.exe
2336	netsh.exe
4728	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VoicemodDesktop.exe

Executes dropped EXE 42 IoCs

pid	Process
4436	VoicemodSetup_2.6.0.7.exe
5724	VoicemodSetup_2.6.0.7.tmp
5756	SaveDefaultDevices.exe
864	voicemodcon.exe
5312	voicemodcon.exe
4808	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
4964	VoicemodSetup_2.6.0.7.exe
3732	VoicemodSetup_2.6.0.7.tmp
3136	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
3908	VoicemodUpdate_2.51.0.0.exe
5436	VoicemodUpdate_2.51.0.0.tmp
3740	avx-checker.exe
5356	avx-checker.exe
2172	avx-checker.exe
1184	SaveDefaultDevices.exe
5236	voicemodcon.exe
5212	voicemodcon.exe
6000	voicemodcon.exe
4084	voicemodcon.exe
3136	AudioEndPointTool.exe
5964	AudioEndPointTool.exe
1296	AudioEndPointTool.exe
5300	voicemodcon.exe
680	AudioEndPointTool.exe
4540	AudioEndPointTool.exe
3128	AudioEndPointTool.exe
5544	AudioEndPointTool.exe
5252	AudioEndPointTool.exe
4864	VoicemodDesktop.exe
4860	VoicemodDesktop.exe
3736	VoicemodDesktop.exe
4640	VoicemodDesktop.exe
5312	VoicemodDesktop.exe
1400	VoicemodDesktop.exe
5872	VoicemodDesktop.exe
5448	VoicemodDesktop.exe

Loads dropped DLL 64 IoCs

pid	Process
5724	VoicemodSetup_2.6.0.7.tmp
5724	VoicemodSetup_2.6.0.7.tmp
5724	VoicemodSetup_2.6.0.7.tmp
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
4808	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
3732	VoicemodSetup_2.6.0.7.tmp
3732	VoicemodSetup_2.6.0.7.tmp
3732	VoicemodSetup_2.6.0.7.tmp
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
3136	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup_2.6.0.7.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Network Service Discovery 1 TTPs 13 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5072	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
4640	VoicemodDesktop.exe
5312	VoicemodDesktop.exe
1400	VoicemodDesktop.exe
5872	VoicemodDesktop.exe
5448	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
3736	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
4860	VoicemodDesktop.exe
5740	VoicemodDesktop.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9687.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET97A1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9676.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET97A1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET97A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9697.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9697.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET9791.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\mvvad.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET97A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\mvvad.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\vmdrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.PNF	voicemodcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\vmdrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mvvad.inf_amd64_307d82593046a239\mvvad.PNF	voicemodcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9676.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6270c246-0dc7-9b46-8137-5b70e1117cad}\SET9687.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5bbb421c-0932-764f-9a72-751385f3a2bc}\SET9791.tmp	DrvInst.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
2724	tasklist.exe
2332	tasklist.exe
5852	tasklist.exe
5844	tasklist.exe
244	tasklist.exe
6140	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Voicemod Desktop\is-9NP8E.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Security.Cryptography.Cng.dll	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Http.dll	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\pl.pak	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-TEBIE.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-EC59B.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-9HP6B.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.Https.dll	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh-tw\AutoUpdater.NET.resources.dll	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Http.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-1MBJ0.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-1P046.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-SHJAD.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-92EFS.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-KG08P.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Memory.dll	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.IdentityModel.Logging.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-FS8JB.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-SISA6.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-AE0FP.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-LR3HI.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-OERRL.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-8ELQA.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\he.pak	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.AspNetCore.Server.Kestrel.dll	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-QIO1B.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-C8AIL.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-F9APG.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-CCOAA.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SevenZip.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-ENN9V.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-A9SP8.tmp	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\libGLESv2.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-FD6AV.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-UMNGB.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Net.Http.Headers.dll	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-1N8EH.tmp	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\unins000.dat	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-FVFSG.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.ValueTuple.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-KPLUK.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-06PHK.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\IO.Ably.dll	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\System.Data.SQLite.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-IDVU3.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\NLog.Web.AspNetCore.dll	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ja-JP\AutoUpdater.NET.resources.dll	VoicemodUpdate_2.51.0.0.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\SimpleInjector.dll	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-K22D9.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-9P3UV.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-FIP30.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-8BGLK.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-JJ18F.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-HSIEE.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-LLTLL.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Primitives.dll	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-1S9IL.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-6UEE4.tmp	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\is-607G4.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\locales\is-VD6SL.tmp	VoicemodSetup_2.6.0.7.tmp
File created	C:\Program Files\Voicemod Desktop\is-QIM66.tmp	VoicemodSetup_2.6.0.7.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\locales\zh-CN.pak	VoicemodUpdate_2.51.0.0.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-2DA6I.tmp	VoicemodUpdate_2.51.0.0.tmp

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.pnf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	voicemodcon.exe
File created	C:\Windows\INF\oem2.PNF	voicemodcon.exe
File created	C:\Windows\INF\c_media.PNF	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	voicemodcon.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup_2.6.0.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup_2.6.0.7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup_2.6.0.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup_2.6.0.7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodUpdate_2.51.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodUpdate_2.51.0.0.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	voicemodcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	voicemodcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	voicemodcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodUpdate_2.51.0.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodUpdate_2.51.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodUpdate_2.51.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodUpdate_2.51.0.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{E16EF9E5-4300-4EFA-AC99-D7D127D5E31A}	VoicemodDesktop.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon\ = "VoicemodDesktop.exe,1"	VoicemodUpdate_2.51.0.0.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodUpdate_2.51.0.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodUpdate_2.51.0.0.tmp
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\DefaultIcon	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command\ = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\" \"%1\""	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\ = "URL:Voicemod Command Protocol"	VoicemodSetup_2.6.0.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\URL Protocol	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\voicemod\Shell\open\command	VoicemodSetup_2.6.0.7.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{0892F901-291D-4CF1-8945-3DF1DF0E98C2}	VoicemodDesktop.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
4056	msedge.exe
4056	msedge.exe
5940	identity_helper.exe
5940	identity_helper.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5060	msedge.exe
5060	msedge.exe
5724	VoicemodSetup_2.6.0.7.tmp
5724	VoicemodSetup_2.6.0.7.tmp
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
4648	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5072	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
5740	VoicemodDesktop.exe
3732	VoicemodSetup_2.6.0.7.tmp
3732	VoicemodSetup_2.6.0.7.tmp
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
1492	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
4660	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
3412	VoicemodDesktop.exe
5436	VoicemodUpdate_2.51.0.0.tmp
5436	VoicemodUpdate_2.51.0.0.tmp
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4860	VoicemodDesktop.exe
4860	VoicemodDesktop.exe
5312	VoicemodDesktop.exe
5312	VoicemodDesktop.exe
3736	VoicemodDesktop.exe
3736	VoicemodDesktop.exe
4640	VoicemodDesktop.exe
4640	VoicemodDesktop.exe
1400	VoicemodDesktop.exe
1400	VoicemodDesktop.exe
4864	VoicemodDesktop.exe
4864	VoicemodDesktop.exe
5872	VoicemodDesktop.exe
5872	VoicemodDesktop.exe
5448	VoicemodDesktop.exe
5448	VoicemodDesktop.exe
5448	VoicemodDesktop.exe
5448	VoicemodDesktop.exe
4864	VoicemodDesktop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2464	7zG.exe
Token: 35	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeRestorePrivilege	4324	7zG.exe
Token: 35	4324	7zG.exe
Token: SeSecurityPrivilege	4324	7zG.exe
Token: SeSecurityPrivilege	4324	7zG.exe
Token: SeRestorePrivilege	5460	7zG.exe
Token: 35	5460	7zG.exe
Token: SeSecurityPrivilege	5460	7zG.exe
Token: SeSecurityPrivilege	5460	7zG.exe
Token: SeRestorePrivilege	696	7zG.exe
Token: 35	696	7zG.exe
Token: SeSecurityPrivilege	696	7zG.exe
Token: SeSecurityPrivilege	696	7zG.exe
Token: SeRestorePrivilege	5192	7zG.exe
Token: 35	5192	7zG.exe
Token: SeSecurityPrivilege	5192	7zG.exe
Token: SeSecurityPrivilege	5192	7zG.exe
Token: SeRestorePrivilege	3212	7zG.exe
Token: 35	3212	7zG.exe
Token: SeSecurityPrivilege	3212	7zG.exe
Token: SeSecurityPrivilege	3212	7zG.exe
Token: SeDebugPrivilege	6140	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeAuditPrivilege	3432	svchost.exe
Token: SeSecurityPrivilege	3432	svchost.exe
Token: SeLoadDriverPrivilege	5312	voicemodcon.exe
Token: SeRestorePrivilege	5348	DrvInst.exe
Token: SeBackupPrivilege	5348	DrvInst.exe
Token: SeRestorePrivilege	5348	DrvInst.exe
Token: SeBackupPrivilege	5348	DrvInst.exe
Token: SeRestorePrivilege	5348	DrvInst.exe
Token: SeBackupPrivilege	5348	DrvInst.exe
Token: SeLoadDriverPrivilege	5348	DrvInst.exe
Token: SeLoadDriverPrivilege	5348	DrvInst.exe
Token: SeLoadDriverPrivilege	5348	DrvInst.exe
Token: SeDebugPrivilege	4808	VoicemodDesktop.exe
Token: SeDebugPrivilege	4648	VoicemodDesktop.exe
Token: SeDebugPrivilege	5072	VoicemodDesktop.exe
Token: 33	4644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4644	AUDIODG.EXE
Token: SeDebugPrivilege	5740	VoicemodDesktop.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	5852	tasklist.exe
Token: SeDebugPrivilege	3136	VoicemodDesktop.exe
Token: SeDebugPrivilege	1492	VoicemodDesktop.exe
Token: SeDebugPrivilege	4660	VoicemodDesktop.exe
Token: SeDebugPrivilege	3412	VoicemodDesktop.exe
Token: SeDebugPrivilege	5844	tasklist.exe
Token: SeDebugPrivilege	244	tasklist.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeLoadDriverPrivilege	5212	voicemodcon.exe
Token: SeLoadDriverPrivilege	5212	voicemodcon.exe
Token: SeAuditPrivilege	2132	svchost.exe
Token: SeSecurityPrivilege	2132	svchost.exe
Token: SeLoadDriverPrivilege	5300	voicemodcon.exe
Token: SeRestorePrivilege	1540	DrvInst.exe
Token: SeBackupPrivilege	1540	DrvInst.exe
Token: SeRestorePrivilege	1540	DrvInst.exe
Token: SeBackupPrivilege	1540	DrvInst.exe
Token: SeRestorePrivilege	1540	DrvInst.exe
Token: SeBackupPrivilege	1540	DrvInst.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4940	OpenWith.exe
1116	OpenWith.exe
1116	OpenWith.exe
1116	OpenWith.exe
5712	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 5076	4056	msedge.exe	84
PID 4056 wrote to memory of 5076	4056	msedge.exe	84
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 548	4056	msedge.exe	85
PID 4056 wrote to memory of 536	4056	msedge.exe	86
PID 4056 wrote to memory of 536	4056	msedge.exe	86
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87
PID 4056 wrote to memory of 4780	4056	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/s9nhrjlt8sowx5b/Voicemod.Pro.2.6.0.7.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8f2946f8,0x7ffd8f294708,0x7ffd8f294718
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4000 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7412 /prefetch:8
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,7635537042465536208,2952944779502066764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:5620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5712

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap24583:102:7zEvent11633
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17419:102:7zEvent20613
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20554:102:7zEvent25209
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17513:102:7zEvent20728
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap24491:102:7zEvent29726
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10185:102:7zEvent26598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe
"C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436
- C:\Users\Admin\AppData\Local\Temp\is-TAIN8.tmp\VoicemodSetup_2.6.0.7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TAIN8.tmp\VoicemodSetup_2.6.0.7.tmp" /SL5="$17006A,66753197,750080,C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5724
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=1b74ca46-c49b-4c52-a57d-8cd1ff70c625 -o C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\deviceId.txt
    3⤵
    PID:5928
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4452
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    PID:1464
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
    3⤵
    PID:4840
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2928
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:1860
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4256
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3120
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5692
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2520
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:3332
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4428
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:5756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    PID:5728
  - - C:\Windows\system32\net.exe
      net stop audiosrv /y
      4⤵
      PID:4552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        5⤵
        
        PID:3740
  - - C:\Windows\system32\net.exe
      net stop AudioEndpointBuilder /y
      4⤵
      PID:1852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        5⤵
        
        PID:3100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
      4⤵
      PID:4872
    - - C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:864
  - - C:\Windows\system32\net.exe
      net start audiosrv
      4⤵
      PID:5416
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        5⤵
        
        PID:5232
  - - C:\Windows\system32\net.exe
      net stop audiosrv /y
      4⤵
      PID:4656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        5⤵
        
        PID:1568
  - - C:\Windows\system32\net.exe
      net stop AudioEndpointBuilder /y
      4⤵
      PID:920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        5⤵
        
        PID:5268
  - - C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
      voicemodcon install vmdrv.inf *VMDriver
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:5312
  - - C:\Windows\system32\net.exe
      net start audiosrv
      4⤵
      PID:3636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        5⤵
        
        PID:5388
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5236
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5580
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --field-trial-handle=14132,16422256599030351264,4563556974842197742,131072 --no-sandbox --disable-gpu-vsync=1 --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --lang=en-US --cefsharpexitsub --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --service-request-channel-token=5907297991546077474 --mojo-platform-channel-handle=1152 /prefetch:2 --host-process-id=4808 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --field-trial-handle=14132,16422256599030351264,4563556974842197742,131072 --disable-gpu-compositing --service-pipe-token=7008276843212179843 --lang=en-US --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --enable-system-flash=1 --cefsharpexitsub --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=7008276843212179843 --renderer-client-id=3 --mojo-platform-channel-handle=10640 /prefetch:1 --host-process-id=4808 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --field-trial-handle=14132,16422256599030351264,4563556974842197742,131072 --disable-gpu-compositing --service-pipe-token=987495722924114246 --lang=en-US --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --enable-system-flash=1 --cefsharpexitsub --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=987495722924114246 --renderer-client-id=4 --mojo-platform-channel-handle=4416 /prefetch:1 --host-process-id=4808 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5740
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{aa025d05-f849-5743-81d1-adaa0343da80}\vmdrv.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5680
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2020.9.25.0:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe
"C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
- C:\Users\Admin\AppData\Local\Temp\is-CE2PK.tmp\VoicemodSetup_2.6.0.7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CE2PK.tmp\VoicemodSetup_2.6.0.7.tmp" /SL5="$20342,66753197,750080,C:\Users\Admin\Downloads\Voicemod.Pro.2.6.0.7\Software Files\VoicemodSetup_2.6.0.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=1b74ca46-c49b-4c52-a57d-8cd1ff70c625 -o C:\Users\Admin\AppData\Local\Temp\is-916SE.tmp\deviceId.txt
    3⤵
    PID:3212
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    PID:1908
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
    3⤵
    PID:4012
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5852
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5780
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5348
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:6024
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5168
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5136
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4484
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5360
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --field-trial-handle=6532,9068274441163541590,14523035290428737214,131072 --no-sandbox --disable-gpu-vsync=1 --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --lang=en-US --cefsharpexitsub --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --service-request-channel-token=17311613923121099804 --mojo-platform-channel-handle=22120 /prefetch:2 --host-process-id=3136 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --field-trial-handle=6532,9068274441163541590,14523035290428737214,131072 --disable-gpu-compositing --service-pipe-token=9813977006914775997 --lang=en-US --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --enable-system-flash=1 --cefsharpexitsub --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=9813977006914775997 --renderer-client-id=3 --mojo-platform-channel-handle=9408 /prefetch:1 --host-process-id=3136 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
      "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --field-trial-handle=6532,9068274441163541590,14523035290428737214,131072 --disable-gpu-compositing --service-pipe-token=11678306495583077070 --lang=en-US --log-file="C:\Program Files\Voicemod Desktop\debug.log" --log-severity=disable --enable-system-flash=1 --cefsharpexitsub --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=11678306495583077070 --renderer-client-id=4 --mojo-platform-channel-handle=19732 /prefetch:1 --host-process-id=3136 --custom-scheme=resource|T|F|F|T|T|F;resx|T|F|F|T|T|F;fmeme|T|F|F|T|T|F;fvlabvoice|T|F|F|T|T|F;fcorevoice|T|F|F|T|T|F
      4⤵
      Executes dropped EXE
      Network Service Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\VoicemodUpdate_2.51.0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\VoicemodUpdate_2.51.0.0.exe" /NOCANCEL /SILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\is-HQH81.tmp\VoicemodUpdate_2.51.0.0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HQH81.tmp\VoicemodUpdate_2.51.0.0.tmp" /SL5="$100214,117189724,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodUpdate_2.51.0.0.exe" /NOCANCEL /SILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5436
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=1b74ca46-c49b-4c52-a57d-8cd1ff70c625 -o C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\deviceId.txt
        6⤵
        
        PID:2000
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:2576
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
        6⤵
        
        PID:4484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5844
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
        6⤵
        
        PID:5368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:244
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:4808
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpReady\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"10\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:5200
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpPreparing\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"11\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe"
        6⤵
        Executes dropped EXE
        
        PID:3740
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpInstalling\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"12\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:2188
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Install\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe"
        6⤵
        Executes dropped EXE
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\avx-checker.exe"
        6⤵
        Executes dropped EXE
        
        PID:2172
      - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
        
        "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
        6⤵
        Executes dropped EXE
        
        PID:1184
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
        6⤵
        
        PID:5160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process 'setupDrvAdmin.bat' -Verb runAs -WindowStyle Hidden -Wait"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Voicemod Desktop\driver\setupDrvAdmin.bat"
        8⤵
        
        PID:1616
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        9⤵
        
        PID:2992
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        10⤵
        
        PID:4572
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        9⤵
        
        PID:3976
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        10⤵
        
        PID:5824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        9⤵
        
        PID:4508
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        10⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe remove *VMDriver
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_delete oem3.inf
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Checks SCSI registry key(s)
        
        PID:6000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "voicemodcon.exe dp_enum"
        9⤵
        
        PID:3496
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon.exe dp_enum
        10⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        9⤵
        
        PID:5848
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        10⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        9⤵
        
        PID:3880
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Communications --format Raw --fields ID
        10⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        9⤵
        
        PID:2124
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Multimedia --format Raw --fields ID
        10⤵
        Executes dropped EXE
        
        PID:5964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        9⤵
        
        PID:1848
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --default --flow Capture --role Console --format Raw --fields ID
        10⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\system32\net.exe
        
        net stop audiosrv /y
        9⤵
        
        PID:5404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop audiosrv /y
        10⤵
        
        PID:644
        
        C:\Windows\system32\net.exe
        
        net stop AudioEndpointBuilder /y
        9⤵
        
        PID:6048
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop AudioEndpointBuilder /y
        10⤵
        
        PID:5764
        
        C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe
        
        voicemodcon install mvvad.inf *VMDriver
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5300
        
        C:\Windows\system32\net.exe
        
        net start audiosrv
        9⤵
        
        PID:5520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start audiosrv
        10⤵
        
        PID:4964
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{921d48cf-aeda-450f-8f51-4a2dbf32d016}" --flow=Capture --role=Communications
        9⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{921d48cf-aeda-450f-8f51-4a2dbf32d016}" --flow=Capture --role=Multimedia
        9⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setdefault --id="{0.0.1.00000000}.{921d48cf-aeda-450f-8f51-4a2dbf32d016}" --flow=Capture --role=Console
        9⤵
        Executes dropped EXE
        
        PID:3128
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\disableDrv.bat""
        6⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        7⤵
        
        PID:6064
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe get --name Voicemod --flow Capture --format Raw --fields ID
        8⤵
        Executes dropped EXE
        
        PID:5544
        
        C:\Program Files\Voicemod Desktop\driver\AudioEndPointTool.exe
        
        AudioEndPointTool.exe setvisibility --id="{0.0.1.00000000}.{f49b0cbd-6056-4a96-87c4-9d79c3b9990d}" --visible=false
        7⤵
        Executes dropped EXE
        
        PID:5252
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        6⤵
        
        PID:1984
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1300
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        6⤵
        
        PID:408
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2336
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        6⤵
        
        PID:4120
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4728
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step PostInstall\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:5760
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpFinished\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"14\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:3680
      - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=gpu-process --no-sandbox --enable-gpu-rasterization --disable-gpu-vsync=0 --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=42256 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        7⤵
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4860
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=37252 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        7⤵
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=50424 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        7⤵
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=7204 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=40392 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5312
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=renderer --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\Voicemod Desktop\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=37376 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://redirect.voicemod.net/?url=https%3a%2f%2faccount.voicemod.net%2f%23%2f%3faction%3dlogin%26ws%3d59129&origin=desktop&u=1b74ca46-c49b-4c52-a57d-8cd1ff70c625&appVersion=2.51.0.0
        7⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8f2946f8,0x7ffd8f294708,0x7ffd8f294718
        8⤵
        
        PID:5924
        
        C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
        
        "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --log-severity=disable --user-agent-product="VoicemodDesktop 2.51.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voicemod Desktop\debug.log" --mojo-platform-channel-handle=37680 --field-trial-handle=40352,i,3766816140954787674,3307395282316649973,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=4864 --custom-scheme=resource|25;resx|25;fmeme|25;fvlabvoice|25;fugcvoice|25;fcorevoice|25
        7⤵
        Executes dropped EXE
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
      - C:\Windows\system32\curl.exe
        
        "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.51.0.0\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
        6⤵
        
        PID:1072
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\"},\"mp_deviceid\": \"ae6d16b9-b71f-4f33-8e37-dc08f714e7c5\",\"events\": [{\"data\": {\"event_name\": \"Installer Step Done\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"1b74ca46-c49b-4c52-a57d-8cd1ff70c625\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2132
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_d69cebb32d098656\vmdrv.inf" "0" "48643ea57" "0000000000000148" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:6140
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ee329ae5-074d-de4b-abe3-12c672902493}\mvvad.inf" "9" "499a51a03" "0000000000000154" "WinSta0\Default" "0000000000000160" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1784
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:2022.6.1.0:*vmdriver," "499a51a03" "0000000000000174"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:5648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\Microsoft.Extensions.Configuration.Abstractions.dll

Filesize
20KB

MD5
d8e064ad8f2419f204723cf7caa7ab0b

SHA1
f19f20d758dae8563fc4914c737e06f1292f58e2

SHA256
32ccdb2ab4348f195d247f920d1432c0cbb1cc5fd548fec8ee562c438aa48849

SHA512
b2ed620bc914433435e655f7a1c956735f959c3e8c60a182d96ab0a59a54c81ffa0c52214d88c6e48ca82e198ad7e9fcb603d6dc017ec64399fcf40d3178c341

Download Submit
C:\Program Files\Voicemod Desktop\NAudio.dll

Filesize
501KB

MD5
047bca47d9d12191811fb2e87cded3aa

SHA1
afdc5d27fb919d1d813e6a07466f889dbc8c6677

SHA256
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

SHA512
99505644d42e4c60c977e4144165ea9dea8f1301e6456aa809e046ecc84a3813a190ce65169a6ffef5a36ad3541ec91002615a02933f8deb642aa3f8f3b11f2f

Download Submit
C:\Program Files\Voicemod Desktop\NLog.dll

Filesize
818KB

MD5
b70274014c925937f0f2e79de6a17615

SHA1
f0c7f4d5f977c99a3205ee5c1c8c838ba4a81bce

SHA256
08f1f52716216fdbf4e918c88bedd87c13d06d914e4f39673f2528237638107c

SHA512
7cb67d07c136f48231da2a2fdcb7f93e8a63a391d09ceb56c12287b93a58e3fe9117313da4578f2225b178adb2bb5e0bf8d75d076c79be7823ccd42389f5dfdf

Download Submit
C:\Program Files\Voicemod Desktop\Newtonsoft.Json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\44100\is-TOF1J.tmp

Filesize
132B

MD5
d0b135a7afbc8738115955d1d3989600

SHA1
254742ba1e4db09a48b97e7bb02074b1b49c50db

SHA256
6cf61be36f04a4770c406ef405af3af1421a591598af66b90d5465a72c4db6e3

SHA512
2a66023db878b643ff362860830aa23f9dbb8e1720f8e737636284d1874b2500480a727f21b525880ae69e123408137e7e54163e44a532643db00e698b31444f

Download Submit
C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-5ER1J.tmp

Filesize
140B

MD5
0a5fea5b0bb86177d677b25574ef0818

SHA1
2cfa1e1d703ae5ce65f85a7fafdcfcf7549f1aff

SHA256
58cd4155fe2d9d24b35a78d820e8840ae0f7aa6bea7f6daf8f7a88758d9dc553

SHA512
61291b0fdb6dfa53c5d95115a8bd1ca0f0ae7b3db1cd875f06307b0c5eca80827327f1f2128b03da4ecf9d99ff0ccc6bc95af5002b1344a82b853656c4aae63b

Download Submit
C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\NAudio\is-L2IGS.tmp

Filesize
9KB

MD5
7cb6d0965066c8a5a8d22c13687191a9

SHA1
358a069e177e08fdab3afd58daf78aa354e9237c

SHA256
ad0393de011f68587e6cfd1b57c8999473e36d6a4d6919cd2ca04e636b677826

SHA512
32aa2f21ddb91dcded3e81a6881b40dd1671a7495f04c5925c66ecc6450bec75bcfb175cd13998eb469ae0c24963a53948d41f4696894c21e71c61274a3057f0

Download Submit
C:\Program Files\Voicemod Desktop\Sentry.Protocol.dll

Filesize
49KB

MD5
c3b6084fb4a7ad53d42b6301bd19ac43

SHA1
8b528d371629c1aa1a31d35d7a257813a90b6846

SHA256
60857310276b69557d2596356f78b53b74f8ff8a905bcc5ac57b84b2fddc064d

SHA512
63e37c164561fbc9136244b1cf7c581fc4fa277ed5b24f9b767c126970740e358e340ba2609bc7f10523b48eaf3bb873fc4ce01094d039e43110263817c4b964

Download Submit
C:\Program Files\Voicemod Desktop\SimpleInjector.dll

Filesize
400KB

MD5
799368d49236de4022d232fbb6a4de38

SHA1
3e3181dcfc62a9067a0265385a6cd5e228626ce7

SHA256
0414c6cc3fe30f6baf019e30148a6c841358b6f3ab570b4419812eb7350b6a19

SHA512
9bb4b681cacd1c1361080fd3e768ea524a11fd284ea9795e04a5173e1ff326bda17c18debd26bd146f19eaebdd10f6c275fe0b2dfce88b601e9c9a2bb9fa91f8

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
19.3MB

MD5
948fa7c2a1fc375157bde5d8d44fe162

SHA1
9ed97ef0eb84d52bb5dd0b2343c9deac4bc2b1e9

SHA256
9908c60efe2d8dd716e6654ea09e8a19ffce21273aeaa239473c549500479ba4

SHA512
fdafba662dce2b913d29ebd1d9b80eb41c4c8a1b09444c1275052fc436079dbdb4dc6a3a8021eff0768767bd9c8efba789a865a9e814299478840d12797354c8

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.VoicemodDesktop.UI.dll

Filesize
13.1MB

MD5
21f080d8449be3fe12778b711393d83a

SHA1
b231f5ca68befb14002f776f170fcd4c84fe8496

SHA256
2d88c8f9b95ba9f498e38390175c431ad84b18b7a5b645efe3debbb20bbf8b1d

SHA512
47c5f32c02a9599281bda4b039bb90af7b02b60fe59a43ea023ce2195ea7c62bc22bbbebd57176b43d0c732cab2f0556bdcf61e680844d81d7a1476ba5f673b5

Download Submit
C:\Program Files\Voicemod Desktop\Voicemod.Websockets.Fleck.dll

Filesize
80KB

MD5
aa81651105606461eb63db6d423fb2c7

SHA1
c748d7a703df483a99f2d434d1a45fb3d285b4c7

SHA256
138e544e27ee059ffef19809c54f48076a0ddb29410549b658b3aa67a18d153e

SHA512
1118a9b1090ff72fd15b269eae7f0d8085ef624fd34318f5c4499dcbae37531081c8060182cf37ca9e114c05eafdbbfb8477cf1ba2a88225106d587caf141541

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
4.9MB

MD5
d20afc7e984fef3a2b2ed3dc0b4c0ef5

SHA1
484da3d185b8b87620d4d2d6b7ca4266a651bf21

SHA256
fb737bdab9bf40f95dc999adc48cca3855fea1290c4bf51629f0298660f92cee

SHA512
e9ab6c311f73bbbd9640be6275c66ce4bb4aa73124e46eb7a3e7a8083bc8de0c461555ea12205c6ce630aa4e783bbea6112fca700f58edb33f0c82142dad127f

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
5.5MB

MD5
78c7e35d59e247295d6e0f72c71a3095

SHA1
bc52c5a348efb3019387f63c71b580a53078d279

SHA256
02eed6142dab1cb421c886cb3770c9b56e4a087cb399abecd9fafef8dda6ebbb

SHA512
559df257309209ed24b1676b04917367ff8906411d6b856f21a54f09519ef602dd2f7405c97e6b9a7663d587d23029eebb5ff765bcfdc1f46fc3182966a7b9d3

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
6KB

MD5
06e40dfadc011f07b0a8bcb910ca62ee

SHA1
a4574e90d61339b3eea2cfd11ed12e557f7f477f

SHA256
ae74231a8e6bd0acff9fb074427be26a73af20885cd23cfa6a636c9df4333f59

SHA512
ae27cc72c9afdc89a5ef8bf2569284d7ca6cfbcb30a5cd4ace0da11bc79a35f47c65a5f414f84f95f8696822242d3b9718dd860413c55cfddc1cae37d8c5350a

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
5.7MB

MD5
39844565ec5c8cf05d62ef399b011754

SHA1
23ba2573016c6fa7344f4d422d86a76b5216363d

SHA256
f0dbf3861a5cae109edef2e78fa2b9f7c4353025bad314cf3afb3fa173a4f5af

SHA512
54b5a16b55491a59e6cb7f4172557efc470d6c31f503b7c8767f0ec410f128a7b98bf4191ba8176fe39f77deb6372788797f0dffbaae2041338af63eca544e0f

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodSDK.dll

Filesize
33.6MB

MD5
d9d45c0f7886a9b991d111e5073990f2

SHA1
dee8b98bbbe6e0adc94d48f749bc964057e211ac

SHA256
38910aa9e702c5a303aac82017f6e5c9d4a200dcc3656152f563144a5ed1ab80

SHA512
9c668f356abc9ef1af8c7de9bb90463212c62c6fec3ea5194edb067ceed478de8fc61fd870484dd3964096a44cd0dca5fb95268906fa9e52bf10cec6889045b7

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\is-74BOA.tmp

Filesize
13KB

MD5
68011879fef2de307bedf76f2bbaf3c8

SHA1
a471802c6f6cb92a94464e1723596484af88a333

SHA256
a977d8674f841281192fb30a5175c9fd35fda0fdbb4104954706a5046a39abc2

SHA512
f3df4c05f7f850e9b0f0af60aad0a555d011318ec2b6d83bd0babf432ad26a42221b48af5dceea898359cc82f826b701842abf7292b88a476bc35d37228bf8c6

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
230B

MD5
e6bdf4edaca31d8f5f5d8fab141e1bf4

SHA1
b67c41d0170c246a2b01dd2e6b280c147e98419e

SHA256
9387039a0be348be9d99989c6f60ded8760c76c5316692dc880b486859ae792d

SHA512
f3b62c78982e7c7ab0d9c04db18642f43e289cda8bacf454df5749b1371d444bb44f57f65931f39a8075c491cb88e3c96b83a3c3a271eb67a9f427c649787c8d

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
a6261c36b1eb262f18c98e520966c329

SHA1
be1f1a0bdcc2f26bc41599b257f2b4c95a1a87a1

SHA256
d0cdbdb5be2be15f77861b6e08aa553d9e8580c224ef0f63e55064f415fc16f0

SHA512
06da998b9778148e15065b67ea6ffadd6df7babf6b1b435368e6c7b6e91d3506d3c3498140cd8b950e207d97c78a899e567b4fbf462d07f7ad473a878ea45fec

Download Submit
C:\Program Files\Voicemod Desktop\driver\vmdrv.inf

Filesize
4KB

MD5
b9b68ddad77911e85697af02b6e311b5

SHA1
999c26f4e20fd29abb0404c9b5bfad4fb2664d2d

SHA256
f853d5b0a5dd5cbe1da2ffaae285080019f9e60cf4e4ab7d9810f5be40f362f1

SHA512
40e0307e787c8498ffc0922d190973b1634621bbefc2a89feaad1b4d68797f9e55c1cf55e5112a0a8d13ee37fa2ed18a33248c95e4298471e2f7cb3f6359c874

Download Submit
C:\Program Files\Voicemod Desktop\driver\voicemodcon.exe

Filesize
206KB

MD5
afc1465481d73483af98d1e78419ff02

SHA1
7fdea1d99110007a5e560ea7b43ba0dec735f908

SHA256
98ea0aa12cf1a2b0b7337bcdb6fef41ca35f83248e29b6072fb15f3c180232b4

SHA512
6b4c9142298a91f65338ce68edd66aceb1a3e7a5ef4d87969064cf49828cfbf8bfb3e0a226fd13bddb933d49d7aca9fd0a9f6cd048505cf5ba2abd4b871b93ec

Download Submit
C:\Program Files\Voicemod Desktop\is-1E923.tmp

Filesize
37KB

MD5
32344c4a2adf49250dc6e641aeef0467

SHA1
f1d0325b897afc15c7bda9ba3464628244521694

SHA256
76c199fac18976b62780c83bd82205df54c716d97aa2f70a4e3b46b63f68ae7f

SHA512
085afdc4c3b58462c005e68a0c5f5c1f9699f5904d4add1678366a5ea3ad440f2cea88209739e243a39475eafdeedce1bc838923a1e2bbc676b089625780f8d9

Download Submit
C:\Program Files\Voicemod Desktop\is-1N8EH.tmp

Filesize
17KB

MD5
4483c37e62ef068827b6b1cb296d506b

SHA1
b8b72443c0e38dd3fd107d2f7fdd4af924f8e47c

SHA256
5a4e55aa9c0f4e3950b5080e314c114b497878a2985ca5b496794b4e2d649a95

SHA512
8fbbb6d02c7605c839b7a87d02be43083aeef005c9c8fe0b0a7b130850726f1c788bbf6551fb6c1e04685a0bec38d4d2e7915e1f461bf3d4ae65a4ee29878387

Download Submit
C:\Program Files\Voicemod Desktop\is-38GOB.tmp

Filesize
35KB

MD5
30f911d2ff61105f7b5680006a9e4def

SHA1
12285ffda48a642f3b06b06ce73f79341475c006

SHA256
42bbc209a1a39f3bab6652478de1bc7dd240146e3b668d34253425eb663bcc4f

SHA512
bcc6e1b979a370d1e11083327776364620e7055cf21d05f56f5867839de77c5c3823bd1adf123865533263fe7766a6fde6e66a55535c705a9097662e1181d463

Download Submit
C:\Program Files\Voicemod Desktop\is-3L2FB.tmp

Filesize
49KB

MD5
23ad60351e197a0f275f2fd37006897b

SHA1
7ceb00c938886a8752f6fcd119eeca3d326f491e

SHA256
3e6bc9ab18cb6a563b1245a4be83733d5212c33cbf6384bed22d20a67d6d1cc0

SHA512
43353174d1eaf073d6a40337f819d44c83d8762c768b4edf458364b1900957a8cc78e404019921866e04e98b6c979686d618a8b9d5b1c0d3d0d48df7eb0ed596

Download Submit
C:\Program Files\Voicemod Desktop\is-3TKOG.tmp

Filesize
32KB

MD5
390cbc5d82129bc6f4a816a7fe0d37e7

SHA1
92b9ad43afcc781d72334733d4acbf87e84f2757

SHA256
b260e0c06e128a95109658c0e4f4a52c8c755df52c0bf49e4166608ecd06c472

SHA512
48bc5486da80bfea8bedb21eeb84174d3ca155a432711750d64c71eb3ccfce5234668b23daed66b5671167a7d5672862813f51fb456e754ee183c436d74560d1

Download Submit
C:\Program Files\Voicemod Desktop\is-415L1.tmp

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Program Files\Voicemod Desktop\is-4HCLR.tmp

Filesize
42KB

MD5
d195309528f364dfacd3bae393ea08b8

SHA1
763721aa95eb354fe7cb88ac5eadbf6d854bc5cb

SHA256
123766d210b9793ce76c2779fa87b3c8fe122a526faa6d46841cf7cf6e5495ff

SHA512
332578fc59e8c518a0e45957d20a9a491b7d6d7567c1655c2f2fa5535450d2d9238b7937ba26b1eb271335e0dd605cb64768ac875eb0901692d021acb1e344d1

Download Submit
C:\Program Files\Voicemod Desktop\is-4VETR.tmp

Filesize
25KB

MD5
3fc2aa5a1717accf911040b215bce29e

SHA1
4b70d0392884c1dfd5ec66242ef58f7f804f58e8

SHA256
8d0bbbd3da37805186b4958e9eb8c7da038a759176e26eae64dbdea75e535ad2

SHA512
c74240a310ad5f236a805b40c8c407f0bf501ba6664e259fff610dea0d0148628df01ea96dd1d03a7c6cb01c7f59d374cb9b2e613a0b93813cc590aeaf0e2d4b

Download Submit
C:\Program Files\Voicemod Desktop\is-55SLD.tmp

Filesize
24KB

MD5
23ee4302e85013a1eb4324c414d561d5

SHA1
d1664731719e85aad7a2273685d77feb0204ec98

SHA256
e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4

SHA512
6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

Download Submit
C:\Program Files\Voicemod Desktop\is-5RJ58.tmp

Filesize
20KB

MD5
38a2ae77291920d18b43e5979a11c1c4

SHA1
cc6819b82a96ae53769e344d5175179438a75073

SHA256
b94bf1c9a3efa5bf276932bab931cf5e81f99c6e882fdba380c38436dc2d2643

SHA512
c76d98b8830c56f78b22cfe30f4d7240836c276581e2d4bc04448a435239a013c7acdcc152699dbc09c24dbeff0323db5845de3939b8480d0c95e148585d0eff

Download Submit
C:\Program Files\Voicemod Desktop\is-65PIG.tmp

Filesize
14KB

MD5
4d9d797c82b0af93625718ca9012c17a

SHA1
910eee42753057e3e1849391e5fd4746c1f876b3

SHA256
dc55b200190e101780720ea8c8d3b53f2b5653ebe6f0e0676f1b64595ba9d132

SHA512
3c812b52c00e8771849d991f8a518a0af4ad3b52332c86078a3de08077625784804ff0fd95bf568743f06cd4b26ec3b7634eb02b1aefa2394a8dfcd21dd4c369

Download Submit
C:\Program Files\Voicemod Desktop\is-736B8.tmp

Filesize
42KB

MD5
7d3d14b0417a68ccdd9c51972ff74863

SHA1
ceacbd53b6a02e1f7337a6b0058924e1e11949bb

SHA256
04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4

SHA512
b2d133214f21d700e1af0c248dcc11ef66ea6da62043ff6d5e900fe2a1665d75583e4cd218526a146f2c62e22adf4ca2fa3b8879ae0f5a2e515e2c3a5184ce9c

Download Submit
C:\Program Files\Voicemod Desktop\is-73MSE.tmp

Filesize
405KB

MD5
07809155502ca460862d6c3cd554200d

SHA1
a648d3dceaa0dab29bdeb3b08cfcc05b816dd28a

SHA256
4afa1ef0f2df936fe2ff026d73b9630cff0d567cb66e3e09ed94783c0d3a054e

SHA512
6314679bab44ac165e77689ee8265f3687b8e7636a0b0fc688fc1b4581ba376c612e8d117dc50e8ae447a36e161167fa4b7d3365e9b92cc7d80f56a8b57d0e08

Download Submit
C:\Program Files\Voicemod Desktop\is-90MH2.tmp

Filesize
181KB

MD5
8d31b48735cd132547a94147a50caf2d

SHA1
39d1cb9d4c925d3fa9333cb24b976efae1943bcc

SHA256
b6578ee18f67b633f7ec4526395fe1061fadfed10310b424bb9f2fb0a0cdcdeb

SHA512
867d44798d1f0c34c5b2e2bdad1bbf119818776b09eb4d99ab00a8bdef3625c0b82e2d3ceb42f7a682fed6ce1269bf6be12ebe01f807ed88616b87fe5e1f1d7d

Download Submit
C:\Program Files\Voicemod Desktop\is-AD8AT.tmp

Filesize
31KB

MD5
b7f13cb30356dbe3e3bf7c01e2d8c7b1

SHA1
712900d638167a85017ab7f99119964d84e0a39f

SHA256
9cb78661a77fbbae56de368f018ac9b06e6a171dab37e49091ac4abc4a3d1126

SHA512
6df9337d590adb72df002cd64005a59f60ba064b2ae2d207559f0b43c9c8978ae75b22115556f0f4e7567b7b7862b99fe069ec92b3c98752623636bea92d1bb5

Download Submit
C:\Program Files\Voicemod Desktop\is-AHL2C.tmp

Filesize
74KB

MD5
4106a161bdbce068267e9054fd907a85

SHA1
0b5679b632122a75f91f151cf88d63f672875bee

SHA256
a852a628dafd880662671395bcb2417cc86429f0f2d46bd8f357c7875862a615

SHA512
731f1998717aa3f156033b7c2d711f4609200c1bfdb24902ed366cee2808675caa8c1aa8d3687e5ae0126b136f02bf9bddfd2ce9bdf462fb630d5d7f087d1092

Download Submit
C:\Program Files\Voicemod Desktop\is-AN1O6.tmp

Filesize
31KB

MD5
2cc772c2e93d19e28098e17a6a6eb03d

SHA1
790b8f91cf0688b92152112305b9c076ccb7d889

SHA256
276c50519e010fab6cad092f192e470d07e44c633399a4bbe9303d9c9aed0a98

SHA512
980eac653eaf674310b9ce543bfc967deca56b3ed47b917e4916e7a7eed13584e05deaa5639c2f3eb6e0671c2795e6948d1a22adca1d8aaecbe77696aa2088a3

Download Submit
C:\Program Files\Voicemod Desktop\is-B5NI4.tmp

Filesize
80KB

MD5
916a2fda1b8f177e3498435e0b3f7d40

SHA1
b71de9c781164148508043e3b5c8de8e6cc77ba2

SHA256
acbef20c8a120482b61c4a570ff88e86852b564237aec474eec9f9040e5d7548

SHA512
55f78889e58b6954fe6d7eea82871f01f694c40eb7d309d49064fb390a7c2a976b23acdd7eb0e34f49e2e4face10d772168b980c0a913df0a35d46a299ef40f5

Download Submit
C:\Program Files\Voicemod Desktop\is-C75CO.tmp

Filesize
130KB

MD5
220971f2e846be31e127f669d979396c

SHA1
e12b22755c8182ffe2ce81fc742a28a43f583bc6

SHA256
0f181dada69a149c7f79756813c5ce0545dd5efd93b8c6a8985323bcd5291abe

SHA512
08d0a0f60e80b04631a56ab3c5f48d79c6a1437a02f8c30cba090b2ddba05ae561794b55106b9a079eb2daf0873400d60589ed4d499a92ba775c57582e576b8e

Download Submit
C:\Program Files\Voicemod Desktop\is-C8AIL.tmp

Filesize
57KB

MD5
39cbf714e7445370f6845757419e17ae

SHA1
b79f777b253b6a750c7c52703e4ca4392aa46ad3

SHA256
2ca1b4888423391da585e58410aecfdfdc3cc7aecb2fb9c3c2265694595e6d8d

SHA512
0537dd3ff9aa122a334781e6a5e68cfa84d77278bfbdeb13c2e3ca6aa282a0e51cc2ab204b3fa78d09d52aa735cff26539125ae02c97cfe63c7a66dafde977ee

Download Submit
C:\Program Files\Voicemod Desktop\is-DO6MT.tmp

Filesize
16KB

MD5
3004ef05d102afa76bf3460e5a2e76b9

SHA1
ae8d85ee777a3e0eecacae58175e852103005398

SHA256
54831fa6da2e428fd05bb82336f6882d41f49fe79f0b04d4db2ed8d2674fe23b

SHA512
9debe1636fb1595b4dfa2bdb78b1d8aeb5d90b72635fe4592e1a4cafcb53291bf9002830b7024e5ccd7f3e77e52322b9a364ca2ad7863e85f43eae50aa000610

Download Submit
C:\Program Files\Voicemod Desktop\is-E05LS.tmp

Filesize
24KB

MD5
fb08199bc94ef1829ebc1a5105917594

SHA1
8538c7cb6f211dddcfa2e50d843c83af55fd7847

SHA256
9c4d59f5c74c6c2c3bf69fb1e5707b04eab14b3311c89b974142fdec88bc44b8

SHA512
e589d56cebd4e5e104dbf8c760faed7444158fbf41659ce739a63093faf5cec6aec4983587d6f89e78400cf22e322217d81a638dc3cd7fe90bfc74a5af9e4a15

Download Submit
C:\Program Files\Voicemod Desktop\is-E2MO4.tmp

Filesize
72KB

MD5
56d833cb79fa1bde835eba801899f55e

SHA1
f04eea7ac13adf4224199d6362573b866e91eb97

SHA256
3fae9fb43ad7c1ce9ac8d0fcb98cc893408f432d468cd6403c7c7d44c862dd5e

SHA512
1011803ad92ccf94f4118663d0a151ac7b1029752fdffcb50ea24eb3042a86b01e2fc5d9d7c6c8d39baa82f45167f8aa66d31d5605687b19b74354a61042a620

Download Submit
C:\Program Files\Voicemod Desktop\is-EGG14.tmp

Filesize
64KB

MD5
0d65948a9719aa94218b0012409c3398

SHA1
92deee204350c7c029f59054b115cbed8ffdf1e6

SHA256
0f96a425e05decd3484eecc05f1957ef39768dfb1ce2e4cac9e10ac30361aa8a

SHA512
8438ceeb545f80709594eb32219961e5d13d830ddf7c391866e7e27431fb0658be0a24653f47c8311ad451c365984ecf8ed9b88e963283e8a99b9fe5a637486a

Download Submit
C:\Program Files\Voicemod Desktop\is-EK2ST.tmp

Filesize
25KB

MD5
7615c5a23ddd0f7b35cc2e5cbd602075

SHA1
8cf08282c6f76715f9a84f86f54bff49a8d4782d

SHA256
1a5a839a7ad5a822f8732f65e513639fa7270a8603dbb04440fb3a7562bf3ac3

SHA512
07d10213c9ea9457541af01526e3e88ec9ddec32edf0bfd471b06d0fbcf2303e8e4633624eb184e090f12397ad8e0408d20be06e172f1f0cbea6fc0790962369

Download Submit
C:\Program Files\Voicemod Desktop\is-GQG7J.tmp

Filesize
38KB

MD5
76c9e64046b8c8bfe24e782b2272782c

SHA1
d4fd4eb46f81d82a6d1d33bcbdfe345f1a8d3725

SHA256
5afac60a95dd1e942f249abd32818e448535f058985b1ffe9163ba5d9902952f

SHA512
e8c90aa3637e88a388d5ec1981533fca4b752572c29dab5e1d067787967644f6e330c96ae1124760ce1017461fb6da9ae5578e24bc5fd0bb53f969dc110d6f11

Download Submit
C:\Program Files\Voicemod Desktop\is-H3OJG.tmp

Filesize
41KB

MD5
c5b6d0e3e885a3193a37e799356ca05e

SHA1
5c9b5224f8666c94ff1c05e5c060c0f7b2cda85b

SHA256
2a20a1cb4be9219ffce2c69901fe4695257a32391ac70bd62bce2709f7b5ff69

SHA512
349a0577c69af571ba816f93ce50d73709845c68e98d4814af088a00aa96ad45ff16e2077aeadac5bc8344ba88ea12d0074c4dc58ad91ac30f2f74fd5d5dd679

Download Submit
C:\Program Files\Voicemod Desktop\is-HQKOC.tmp

Filesize
78KB

MD5
ed06e5595f283cce8ec5a7860154a67a

SHA1
6f3733804d47fdd483754d5c63b7ff5b7ac23e93

SHA256
f15fd34e3d08fd9df5c6af573914392fde4757e700f44d3a9be99a269f6e1812

SHA512
5a59640bc2618c8be3ae5fcb52a4b66af12ed9868ea5c2d532b4eb8082b90f762c5b1fa89f766c0d440ee451bfa03886b3bfdb54809c19f610e14851d32cb28a

Download Submit
C:\Program Files\Voicemod Desktop\is-HT31G.tmp

Filesize
36KB

MD5
bd0cb2bc62a2485e93aa36fa6941c0ce

SHA1
453cfc5d9a9cb9c54ec38fef07d7bb3289484c7e

SHA256
4cbafb5c80b11692638d857c0227429f56cd27dee8fbf85b75cb1a98c8a86f84

SHA512
14c74166cd8f010cc6f0c496931e0ad11b9292e35fd3c899620980432c191ef4e44a44100d675b5d288bc779fe850e0727e161ee718caa60d1fde286bd65a8aa

Download Submit
C:\Program Files\Voicemod Desktop\is-IBLCD.tmp

Filesize
22KB

MD5
e78df79160ef9ecb882e92ee9aca7b3b

SHA1
05eafe02a6a0f2b5af245101ceceeff54736447a

SHA256
6c89704a56236f7886cfd6677dc2aaa22984d5f5312f31735360db7c8c3b51ca

SHA512
8d953a88e81e44aa04827d136598d98f1445c2665e1adc323a88ad5f6634571cd4827b57ba0f28d7cc9289e40ca8b7aa5a3366ce2f244a8b8aed86b9b4d34e79

Download Submit
C:\Program Files\Voicemod Desktop\is-IM86G.tmp

Filesize
458KB

MD5
a6e4d1875e7c8c2dd06790fbb318d1ab

SHA1
fca8529475e6c2128757c2a1b4e98d5576ba0afc

SHA256
2606d84a6906f9c961d61d95e18fa5f92f7546c063418555621b3a19039f73fd

SHA512
d6a165668d04056ffad40981aa3ff152cd1f216800bfe605238bc19381724a220c0f4a954e48e8aadea62513386ef465c42725f0ddee3b3009e64db408d9c6ba

Download Submit
C:\Program Files\Voicemod Desktop\is-IQQ26.tmp

Filesize
337B

MD5
1b2788fed17a2fb23f603ccf2f2146db

SHA1
9e0b2888c030000edcbe3109a89445df9e2fdd4f

SHA256
040f4b3d50a1c3c0dae308ffeec4bbc35497f1189c4e379dbda3e3359439a3bd

SHA512
788e2bde5ac52b0b7ee909735f4d5a3de6600e9df290b0769fd6d10db838629cd0ffd2b2e6e713cea0900e73bfa4269ce24c24064bec73c9b9ae9eadf8f03694

Download Submit
C:\Program Files\Voicemod Desktop\is-JCAB5.tmp

Filesize
14KB

MD5
bc2e1a4e2a3f6470de251dbb7cd15cb6

SHA1
812831c17b12050e27b62910c4590b3cde53cd54

SHA256
13362e6db86d31b2b2804c30be7c0f6251d348a75d15dae139962aefcbd620ff

SHA512
9772f6aca0baf88a18c4f8e614f2ae201e2686772286ec6f3e089180ad2a9a29c752391c092a8843173cfcd4d7a42e1d8406c95c15ebc642ffa877f887dd27a8

Download Submit
C:\Program Files\Voicemod Desktop\is-KD9M6.tmp

Filesize
19KB

MD5
efb942edf1d49ccd20f900b0749d73cf

SHA1
02640ad2d0578bfb0ade2522be39142857afb15d

SHA256
50256a3a6bbecfdfcce566a1b20afbcca45674641636f5c658b9446b582416ec

SHA512
27e2ea03a2ed6cffcb01a156e7edfc7a699ec4eef4a96d2353b57f53ee2b10620dcfa876ab8b58f38bdf7594f20b6026da166a2629449423c3d231516f9bcbe9

Download Submit
C:\Program Files\Voicemod Desktop\is-KI8RH.tmp

Filesize
14KB

MD5
7721decf5f28e1470d40b912b2253779

SHA1
04536a984d29ad5bb1939ab83a1c5eea501f2670

SHA256
ca4cceb6a39d5b511abb897d8bd3c1de6921cf8a284da73be2f7ba79ac377b92

SHA512
2aa81e5a800f804ecbb206cbd2807d4a1987341dd211f8c493b6d5873e7d3d35f4db8c27b4d67631c592861eb3fa05037ea93d02585870e6354054df687af076

Download Submit
C:\Program Files\Voicemod Desktop\is-LHMDL.tmp

Filesize
22KB

MD5
14a7a2b79865de5c273b13583bf49763

SHA1
34b5d578bd1c1fb0fd29adbaf8e270909a803cfb

SHA256
e15127aff5576b0c5c84b8e716bf3ab7c5c0e5f17764b6fad45e88e781810284

SHA512
fa3e7550887133551094548d4e089b219f9dcd4ff07d3c9298ca85b1be8ed3004a7643e03d1293d1a378345d40ed86ff7b44036b2b7b1d2d42a7deb7baaddad2

Download Submit
C:\Program Files\Voicemod Desktop\is-O4SAL.tmp

Filesize
22KB

MD5
f3616191069793a8c40045ed0fcb6309

SHA1
8f4d447f6e5bc442953517dbf5598cd7ccd945a6

SHA256
fc67990fb44d03c9c61323e362aefb749024192963d87cc99eacccf5b468449f

SHA512
3819305d55bcafb33fa867f6888c738b1464519e3915f47773c3044116706c7381f226a72ae62241418b6b1af68fddb5af6a85fcbe49d63b1f6c099b592d72b8

Download Submit
C:\Program Files\Voicemod Desktop\is-OERRL.tmp

Filesize
44KB

MD5
877a2436fb99d0ca59c56e38abf5959f

SHA1
028568bc166509c3cf2bfb5826224be23255e4cd

SHA256
e98b0f67476a4040ce6c227e107285c790e538a171269ec6fbae031b3d7b0e7e

SHA512
cfb42550fd2ac8ee15632bc867743f7379269a64d16d9f141e1a876084050233a432448410bd14f3ff8c892aa6939de5ad55afcd48e65a61b1bd9d20bbf757d7

Download Submit
C:\Program Files\Voicemod Desktop\is-QCGHT.tmp

Filesize
47KB

MD5
fa43b31fac519d4537325b2d77595c3f

SHA1
dc3c0912d2275684a95816401f63e155fe2b5ed1

SHA256
ce4721eb7591c77ec23650c079c25730bc9e4f2af440ed0ce913258151434cda

SHA512
e9e050ec7bd310ce3c5c13ac7f3849dd96ee34ca68a91956b956eef6c228a23d790736d05f07562b039a888471f823107d11384e72e172f505192964680335f4

Download Submit
C:\Program Files\Voicemod Desktop\is-SIS14.tmp

Filesize
59KB

MD5
9adb29aa65a7cc5ada2cf5c5e259407b

SHA1
a049318e3ab543354b87ba88058e362a06bba90e

SHA256
772ad7674284c0f62e5c90d0772283b8152ad704e612d5d46088c77d17314d1c

SHA512
930f1f10a781c792742b9663ccaef5dd6a77921c63938274422d072ec9843e71c34fbdc780b950f4f625ee8c85a675900f9f0e866d1daccb5a922c216145a4dd

Download Submit
C:\Program Files\Voicemod Desktop\is-SPRTR.tmp

Filesize
35KB

MD5
1be5ffca9bd7f3e8761574783605c7a8

SHA1
10715af2097136185efb665817213374ae865c3f

SHA256
69e686e91deea8b0671faa31c3ae00b43a99cd124cb0b524bbdd261f81a4507e

SHA512
645f85df8a8b05e2ebe69d53b3c1ddc852c22eb8557118633a46d0189bc714da156ccda453a4c9bf9e0fa1225cf971a65bbafc77a47d650a336d81ac99cc8a34

Download Submit
C:\Program Files\Voicemod Desktop\is-T4O6G.tmp

Filesize
40KB

MD5
ad750925d50354e9f024de4cbf89d99d

SHA1
5f59101aeaa143d2d13a2a5b70728304b201bd50

SHA256
733157ecfe5a2752dd50d5f4fdf688b2e1d016da020d6969c20c5fde050cf2c9

SHA512
a1a5b2d8c72cf794454fb781f09ce68b279b83cf57326fc3f12c0f4417d638a5ade287477ab93a15440d804d0784983d61bd9538f77e11dc5d07e563e89561f3

Download Submit
C:\Program Files\Voicemod Desktop\is-TONJS.tmp

Filesize
25KB

MD5
ba5145200fcea6b50a2223f98b468bd3

SHA1
7af4f0b8a4a7b75763bbc72c5c3edf3d85fd8a50

SHA256
5971ca80cf7ec34845334c9734542cd4de2548fb15192a19e6df3272019e6317

SHA512
3e442028cb9208b1925d53bc3f0146fa832e1a912b8c09dacc6b5ee419c78931e4b5e256d58299a3adb9f54b2a66f24e454be74017fd0f0e2fbe5b7e98ada464

Download Submit
C:\Program Files\Voicemod Desktop\is-UI7KI.tmp

Filesize
23KB

MD5
5a1b13bff9301f4623fb86aabccc58af

SHA1
65fc65a675efd3ff70363f7c1a6236dfeac2d58e

SHA256
9c0b76c91580abe9f08eba1d85b54ff8ad319e28838489b405608026c0ec0e44

SHA512
4312c50150d96d487386c6160c1a684e5f07574215115e0df6e0c1d51186051c48888c9b582d5f86634ad219a666b07e4ab3ebeda3d38eb8947e3a5231254763

Download Submit
C:\Program Files\Voicemod Desktop\is-UN7BR.tmp

Filesize
47KB

MD5
066a9401c103e215accfde47e773de20

SHA1
9632667aacb996fd9c360451419bf2774cea3436

SHA256
cee2549e788831a5cf08efe42d2691a41d300ea74150257ba94ce22b9ad54009

SHA512
3223ea6e89863639c61d3fac47ca7bc71cc4146f9b793343b2cfd242ff741cbbfadd0581362a5786b8bac8939936c8c5805ab1be0d1cd573f18fb32ef171fcad

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping4864_350175227\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping4864_350175227\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\Cache\Code Cache\js\index-dir\temp-index

Filesize
192B

MD5
f9841bdc22c26175debda8b801cf9635

SHA1
408edce0d9e08380724d473d3311fd23dea35c8f

SHA256
a9b0201f405a5aa7598411188bbe3adc1fbcb1674752d318aafd43a809a41f28

SHA512
791ac4d2537d1fbdad95e917e897ecc25f20ce674750bed71007d3c2f23ab1619d7b6b9bb46e5891b61e9a56368208386b1d8c727f0e28b16a43c86d49222af4

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\Cache\Code Cache\js\index-dir\the-real-index~RFe602290.TMP

Filesize
192B

MD5
6a6ee7e80006e7c76883f64094fb8a13

SHA1
92464d5644873b82299c8d6d24abea353bb026e7

SHA256
6f09f301830ca33f9413993eb08e826abe2795a63035446336162597d95924ec

SHA512
e8d99fe70a24c444ec2107cd284c4275fa87c06522772f6197bcab9aa5b988b5341e4a1064b3b03afea61336669ad3672966477356fb0350dcacb4f0528b65f8

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\Cache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
20KB

MD5
0c4e029571dc182bfb39161f25531f06

SHA1
77b38d4a247b63881e7b9be324979c203987ae4e

SHA256
fa5e2241e03bf7f6357dbff6a4716e4fee8b612fcb241ce68411552ba643cee1

SHA512
51501b8f4caadf0975eb5d1b3e193c3215c3b0706f7203d9173c8bbd3149526e9134b8b87ebcb0de6f1ed44e9f735ea3871201ac476f99e463380fbdd39ec7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
63KB

MD5
67e59a06ec50dcd4aebe11bb4a7e99a5

SHA1
5d073dbe75e1a8b4ff9c3120df0084f373768dae

SHA256
14be8f816315d26d4bc7f78088d502eff79dee045f9e6b239493a707758107fe

SHA512
6364515e92ed455f837dcc021cc5d7bbab8eac2a61140de17ff6a67dfdbbd8fbdded5ce739d001a0ba555b6693dafdb6af83424d6643ff6efddc46d391b21d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3b0914d8ee780328_0

Filesize
141KB

MD5
2db5f2efb8bddb93bd95b82029ac8074

SHA1
7fd262f8ca6a0a957326ecfbfcc736f247b5bc5a

SHA256
2ae036a72a0f9f3295931b6ce25c5f60e632a5419278579abf13cdb3c81cfcbd

SHA512
6942d796990305879d0e8ea38a79bb9cbbb2d0fd11b4ad91acabe432822158b99723462659bbe8f70d585a326ce92bae959308a7d313ea43d60c6925632959c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\481963cd074f1a48_0

Filesize
268B

MD5
311b1d0dfe18d6f942277364aa8db308

SHA1
282722ed5ebf398f8f3d11b39c591507afab3539

SHA256
3545714258e448d22ce2e03d20c0c125c2993a5071ee26edfd1a87234cd276db

SHA512
0b341f5f8d442e35dfb5be380c0011f71f770b09058a38c1c1f0d3151a29d8cd02838a85df8d7fd5970b19183febf9659b90045bae960ed217239fe910f15ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\56d6f409590db490_0

Filesize
54KB

MD5
faf0ff18a3b5cb37a8c85fb9b9dbf9a6

SHA1
932438413f24819d6d94dd88240763529b140bd3

SHA256
46e5b8179c48ca6904eb69d0b86db4bda9ee65b93c2fc16991a752ef4c5fe619

SHA512
5724ca04779634a4594a32ba64b1d7e48ff271adbf6cbfa39e12a5960e6dfb88b0c2b407dcee35494456fbfe6752510f29239d679bd02fc2a6fdf1d87efc946b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7a8694aaa036738a_0

Filesize
21KB

MD5
52c3dbac6c622707358c43529e05ea51

SHA1
07650490df1af5e2de412704ed795f76657a9516

SHA256
cef4f1d75d3c4947dc1a540178b7fa1c194d2710b10de7eb497956c4a407d015

SHA512
21c331fdd9a27ce0a20fd8969131028d74aa749ddf0daab7b9779ddaa5e7e9566f39eaad9370739ca20858487fad6ff34c6a39e406e8c84c11c90705e0639cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b13d9848aa9ac2f2_0

Filesize
278B

MD5
5e33683b603f487f47c0c069cbd67bf1

SHA1
aeada4ba535176b096e1a1b4482b99aae0285973

SHA256
858ec46ae9c97be662291b2799acc71dde045cd01789ca123d87efa45da72277

SHA512
a1b633194ffc051e4aae2cdb0723aae40de395851b876a237fadc698c2a71b2b8d46543660b927d2c830da9d521e8b6d5b894626e872689de1249c46ac0ed01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c472784dec098560_0

Filesize
10KB

MD5
725f24cedad0041473dc7f33af19a412

SHA1
022a459e67193e7f90a4c8b78e1283f8f9c5f472

SHA256
2f5c87cb6b0c3f79656728281c1ab84de72a2d3f70157fd33662d0dbeefecbc6

SHA512
2dce7c5b9f1565bdf152955ec2e8c5eb27f1d040e6f0b3b49748c72e0c54fbf409df0e4072dec0d51b7a40965f52d065f1c2ed6925220a4bebd4527d8b7d8b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ce25b94a8d32d720_0

Filesize
54KB

MD5
ebde602c44881735a17078d598701865

SHA1
b4f4a07e40eebea9beca54b71e129e0079f484c9

SHA256
115b31902d437863170d1c28ea622502aad15347e0a7d0c7cb1433f92df4e2df

SHA512
7a51c43376181938dd5e322ec276094da7593810fe9c837f0630c3478a88adb505a54287943fba37c8415ec1bb08e5ba62c493d03e3fd0504f559467a2327c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cea405f6e27664d6_0

Filesize
330KB

MD5
90ad1e6258ebb35bb051c635934d55c9

SHA1
54fd7e83506ac809983ab300b6a93cabef2f738f

SHA256
b5631fe5eee2db7365d9ad8754e79033e3ce8c750489fdd5d1a7e0f18691e05c

SHA512
970420f0dc5cfe6b0e4d49f26cb4e4a4ae38d5e9c4faa0613c55fe16e88a99aebb1d3512206d0c484816a2f6ff04de36548175da43721f0fff95be13e14c733c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
cfeef249bc3fc736c1e7dafa280a4183

SHA1
25dfbc5d1cd63d1ce7a456c0ac88ff3ed05b057d

SHA256
774b64dd04f1af83eb4c10f23fd38ee70fa26defeaf875843cd0010f3d3cc9b5

SHA512
ab510bac41344c87fa92369058380965d4a4260d1de93f5d9c1498250fdf9856cfc3c5a0c1de7a18ddeb25e6e6f7ee5d28fcfc7704aa15fbfb07a1bec353abe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
61bc8c12359c24c072b5cf5814a86622

SHA1
d541cd5da72b58b69d1af26cb6197bbaf9cb9977

SHA256
b786111b20ebde259d2df8a33c4a6a57c3647914cfb5d700661c801d0b670055

SHA512
10dcfaffa96ad2d42e97a8a935b52e7dc81447c073a493eb2beb8a2b173391f23ca23119c895c645c538f9bf566c8dcda1198c0f0da6b4f98ab65b8883a68ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
054a3fdb326fe35fd8e9da0426d5d63a

SHA1
308fb71fc90bb86de436bde5e7ab2373fabddcc6

SHA256
42a89be412b78f3b53100b0c2aa3718fcda31a7f62320da5b1bf0fd02b6d9b92

SHA512
3d09348e79b37990258bad377321d5a8820a94c32b2c1f57a4cb4545901fb4747ca9cb481b8a67bf084198718088ae47e97ef3bf8da74e5434c0287546450cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b95c436a3ba3e6eda5f044f5bb7994af

SHA1
cf2b4ca2448ce51fe1669b9645af2efde9700d03

SHA256
88c387b24a5ef0399027cf0640b60bb23bee056919f7322bdf59e8ea8f7031ba

SHA512
eaa31b9f8586ba1f4b547635f8667e1c6c75dc79d05aee687c7915857c0e2a1895571d832098012fd69641dd81b88a341ed674131950b7e28be18fa47300c5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
72f1969bd37581326569c8b6fc4ae2a6

SHA1
d1e5453b877a4ba55b8d0f68d6febf7555fe6623

SHA256
15a55813219e0f574e51b585e14891e9373dfd9598aa1b9a0cfd1aa2a7e52b02

SHA512
e03e88fcd613d453ce40c2752a28fa163dd6c026eac6ba6f59cf5052704683bfb9b60bc5ba957d4967e83b04a7f16ca89192c866628d17c6aae7c57b4cd3b831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d25c01202255152157887abdd65dfe5b

SHA1
a23fc7d6979f5014c134a13b850c6ab11ae83122

SHA256
fdd7ad84b6832d2ef965309e3ee2a3454adcab16db4cfdc99a9632b33fcdbc74

SHA512
7b7c9de415edf985df2b8dc657005b8cb2fe6208dc8d0899b3a9e7e960c2a7400d4f84489f363b9d3378c7259567a26898d1a8e8b0a7c7814939e9f3c27770d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5d72d72ad89c72e006abf8d0463ed358

SHA1
b5020c4cf762c6c1875e52726b43cac68914e50d

SHA256
3ffd8bb01efc15704efb5adc8e6279f56e1b02e372f4f8313ec309cb347a313b

SHA512
310087bdb20f76781f430e2b9e00d64bd4390ca92cf48b57c109ced7d65b27d3c7ad5573e1116d5d9ab8ee316b87f0cbfe98a1c839a6952a77196ed65d2a0fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
870d8da6ffccf5b1536d0a03988cf288

SHA1
64682eae0e6ec4a28aa83b3566223751ccf6cafd

SHA256
95fe316984ab6bfb2721ccda9a44ac0819cac719268cd5fd6b339029f8359ecc

SHA512
97aab119512460ad1a71b6ae14173acfb32848f021abed74f2cf1829c85109ea60543036111d0af70287d129226b0af5752d6b43be671d4ed39f8cee31086e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a98658f51ec4a930080af016631a55d8

SHA1
2bacc6a6c1016e2ce60440cdaa671b6053ef25ba

SHA256
e7956ff992fc39641baff370c3d9565ccaaa99a71016d5c3dc6c0c599ab7f3d0

SHA512
974dd312019d3f3ec0319cebfa65f58cbb66726356d048c1f4d77c6d6f0c1dee13b56d592f9cd3b29e1aad769fe08c75534859cca52dd0b46ccb3a2f37a17308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7dcc519079b2355209adcb10275425dd

SHA1
3311b17e2d85d83cc4e980cff4df2f2c2d647117

SHA256
3fada5adbc4b4bc257ccb6d865decac084a5126a52eee8ce9839ff40ef534c38

SHA512
699fc780294a666edb83471f203952dd31ade65ec98c4b8916204f0d78d4d9367a457cc12d959c188df34a52cc0e9c02dd5b3c541996e14de9f4584264788feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3cba5c2e96dc0bead1c01a717bb23358

SHA1
8ea8c82569e52022389a6cb0d87c3e2b0ee69467

SHA256
28ca0bbb0519c9abb770fbb3aa36bdce75d79497eb4a75caee94d9f816dc14c2

SHA512
c07bfbce897f864335aa717b2739eb7e2771076432f0006e7ffb316327a1bf2eb6476beef29159b5fb45f2f52e74f5fa9681ba44bf55555b9d798bb0f679d7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
42f385338b57237371754a1cdeb128fc

SHA1
0296bc70a9c59ccc378e73d1b6cd9c90a143e4b7

SHA256
1555459d006b9ffe28b224c93c75e484b37f7c117f5a265d5326801814eae74b

SHA512
2b4411dde6c80ffef2950d94291e9af5b8421121ca5acc49f0ec1cbaa564ca53ba69805eb881553e19c3ad567058aab7fc355698dd31aef988296f3a5059e47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4696976c6e6dcdefc96c4692654d9ca5

SHA1
573e61b29f1573eff2a01950f8272cc686e90367

SHA256
98d262b88975b66e99f5a8f0af8dccd2a8fcd79d396a6c7a88737fe95f431ec3

SHA512
f6c1a118e50b492aecfeb2bee0b8a826d73db7551410214b140fb85ae8878b112274d6ba4def4ebd813ba775a235a66a8597e268233828293aefb2bebbfc6586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4361c059b75ac7e09a4f557cbe882967

SHA1
ab841039e21962c77386defff0e335e987cf029d

SHA256
7978bc4cfbb6e6036ef04b761548940e5409ed43267a7ded78af0f6d396b8f7d

SHA512
130a72bc59b04acc4878ce028eecf249f7ebcf8764b3b4f60270f3b3747d619581e73deb41856fbcef969ddd88692eba7970d196c40f7602deab75666e567c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5a962391c06efaaba4b771662b3bc00c

SHA1
10cf707526aca481401dc2aa4c1c24d850c59828

SHA256
10a959853c02e2d9ba6434a9477438fc534225d7f7c3f4244055069df7b57f03

SHA512
be8f1b504cab7846d0157bb7028c9ed0880a61e0d536557163059d79a6da6818ff481d87b952b770336ea65b349e1f7656b8bc48f64fbd9aab710085260615b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6ff2e30717f1a477407d3b8b4ebadf8c

SHA1
a930f7933cacf7da8ba7c234879ce25976466dac

SHA256
bb77e46e525fbe90688f9341beb09be66aed49c800e82e893b1899953b77d375

SHA512
6d467f99a29f8a3d5a0b4c751999a0482c4ba55d37d4a55ebe7a2f322eebb02c9d8bf8157fa1120e782046ca285bd6639c954706f18f2ea43820fb7a5073e322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
ff78a1b24bd1733b598044e15c792415

SHA1
75e96e235dfce99ff1ab61bf095f48036acacf54

SHA256
5838bc760145997adea41f25a6f77b1c28b16115a1ec47cce3a6989d501146c6

SHA512
7361a75ec4db2c6caf374160849c3f3a24a0217e107dd2c11ddf8160427faea89c59e77d73408ff47a4675ce1f799450a72725f3c654cb8bdd83e81af5c83311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
dff3b9798510ab4aefcb09cd60e49a96

SHA1
ab8c5943226c3b2ef67e8b2e670c629d864900f3

SHA256
10cb67bca9aed34875694416933197457e5fcb1704d87ceb521bd0b01d15ab0a

SHA512
34e342fa94b64e320872af7eef296e1ad4cf8c59dde635d326bad87472bd24f5ce176a694629325f5f94f97583edf8a8adae74e2e2d2a1377aa940a99cc0b52e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
a4915cfdb1cf110f2e0cba0a4f35ce8a

SHA1
391cffd749403b970b8f0e941c86a6ad12c99246

SHA256
94caf4c352a8ff4ebaf04c4910fd463201214a9029434bb6ad2b9ce815932b56

SHA512
ecab53eb9c791d5f095a68e2639b9c0acdb5fbf89a1d68401be24161b8774e985ab19af9fdd0ae736e6852d3fcb110a9a38020cd0efcf4f1a84a13c991850ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
d79e787ede37022254908e889c820e8d

SHA1
9236676544b7ab99251dd2e8aa36c530250bb8f4

SHA256
c068cd32883c621c7f9bc6f4bc0fbebd9b28ba9221cfa9bfe993334c60ebcb4b

SHA512
fa46dca3fb8e2bb0b5e7f3b3b6711a7ad7735f54ee561efb1a809e360260913f6a9a346581620d1432b344b809e8102a5739fcf1fc27bffde9f182ea06974369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c109bea3395e62324ebd3c0e25637cb

SHA1
c326c5c156b51de29d6408333b5d81c2ae36536b

SHA256
91e3a4b3ced97b1f4d4e084f22b9894c780892615cdacd343a47758e6d1c8fe9

SHA512
792c3771880a561df0aa173749b6487afc36194db3b32256e91d1e6b04565065f7ffaa27b3356e44f03ecaaea0d8635ee4b4f130a16c8ba1dacee748e79427e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
5992ce2f519502fa5f4483c44841ada4

SHA1
33e4060199d354b7621f8aae3c71998204be5cb1

SHA256
620fc272c33ee23c7950048beb3c11a45eb7dc22a5e341b462e054aaefc53af5

SHA512
f3db6748e119c1abc7b118a3352b9a0d233337571ba899b4d5bc3b685f8f03b68df07fd62782c3f108be676ce925254482453cd9959ab0def09bfb69370920d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
bcabecec7ac69ad4c9954e9489ee1bc6

SHA1
85605fba267276f336e4eda9f116861715a91a39

SHA256
9c2eb570ef04f39bdda0ea489d4f6af3bc1b2ac9784b3dd5671ea031eb64acd9

SHA512
4601433186e971fae0b34f790a49c241d71b691b87c5cbc3e9e6e82a9b1d1826ac464ccca18d0deebbea7deaa4e89a5798731380613512bc788f912f50b42c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0bce1b92ded59efd47cb7c7ab9d21dfb

SHA1
8bf71a3f7e1f39bc1b09f629633dd8cbac64eb9a

SHA256
1c1b5a0326306d1dc61f477306f03485415271193ff88c591171ad46093cd67b

SHA512
40574511ef42b818fe2df9006d31f6f914d3b08e8fabf9c534d4f13bac78c3007717054f098595972320ddfc523bc5143531fe82d1a58b358d603c99421aaa1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ba3f87cdef028950486c02a486de66df

SHA1
4a4db64b7ca5c4b02261b4fdf1fcfffb7a4eb7ef

SHA256
1f549185a84342d7a5fec9031929973dafb8bc10a9e4caf89e5e8eed051fb9af

SHA512
7afdeed2bb9f00d88c7211e7826d0120a86df7acc9fc79d374bc1d09d64dd9b056f2cdb00abfd297776afc6839fec36a6130c1bf3a382fc6a375fefc998ff86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
18b97e3db7554d8b3a2dbbfff9df4735

SHA1
e2dcf0cfecd4facad59739e3ff253aeb65859b52

SHA256
991e50e862fba22cdda6e38969b6571198c7550a594c2af940e5647fc48c7d33

SHA512
f409ff91e3d184fadbaa7f41dde2e742cefc6ed29102dc9382722125ea4da3f86a8c6d2dfddf8c39be634cd213bc183a92f3e56360fc0af1409f0c2ab91866f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5feda65f4f7d51d95391170d20730b27

SHA1
f3fc847c8e04e1ba55eb510ff6280400f535a2da

SHA256
253bf5e30cb801ea55e1a53ab5033f5cd8a9a52ae9444319cc8789a091c0b20f

SHA512
8760e1e2ef0456e33d10f15e748577a6b47993bb4046617847f620ea551b68b7cb71b27c76f3561522af5c8803566e34dc1caf5091280b19beb98be7cedb810a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e6d3dedb7c927b7e7b2e55d01081bb9e

SHA1
3f2f765b1c4a27a61d30f3cab5487d5e5a1e1f06

SHA256
cb3e81e8d3dce3df7e02cc044449f233abb614688e9567706ed27f459573cc42

SHA512
34e0b8150c8d3105eaa867f7ba9c700bdda405fe74eb2788e375f5e086c23b9ff46daae352e827042982f81c32a23999fddb32333e06b3eb3428fd194c7429d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a46c9474b09e2f353e3951d77a3b92ff

SHA1
32422ee4ca5d160b94c32b0aa870507427dabab0

SHA256
2e71697facfaad7b6852e96ee519ca73029268adb8a8da38b779a91cfa8a3178

SHA512
f06a5d258d0ea296525428f4ecbb2ae39376435327958c6073af1e3dced61b15570a88b26477fcbe93921ade6c0275d532b2ca427ee37cce80414382e9ab9353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf17.TMP

Filesize
2KB

MD5
063153522adafd352a3fb9b03612aca5

SHA1
0814c5e7d0db07a7d0e318d6a383f3712b7f7236

SHA256
fd7a500d55dadb9ea315a74cf871259d346e02cccca758bab8bfe99db1649cce

SHA512
15f7a69fd4ccbdc22358c6bec8d9742ec9e840192310abc4dbb53d5f9c01a57e5304292a231aaab610574db412a81e44dca4335c71e08d59e307c3d628e4c944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d68988086b07eb04c92139e3ab74132

SHA1
5026faef40fbbf94b840d531357d52b6d4b80f82

SHA256
8a4f4a09d432bc2c53d695fcc5cb859e0f726b43414a615f8c5d1dabcd7ea157

SHA512
c3be35d52aad8d997efd0a744e3aee7f3c8b66c6028d57fa7835a700e3356e56355557655a6e33edf5c39312c6cfff6b8db845fbec08ce73c0766d936eb423bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cafb6f3f75d2f7c7fd461373330db1c9

SHA1
a77be5ef71d488a0fe2746c92b28c136c6932937

SHA256
95f146a71a1f10f54aeb10ce94277225856fbf7c71bb55914d1766ed1496110c

SHA512
78790002d7d90f416c8bf4ae76ce71e0e0f0a7b6a53808f88ba20ba7c1a34ea5881a1d29c264412474f05085271794d725b00d7dd163dc6e6aa27a9538d61a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0apx0nry.vm4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsmmivub.452

Filesize
233B

MD5
fc0307b2062677278401e63ec43f982b

SHA1
c618426beba012c1ad1b8ff149ca03b2be994d29

SHA256
c6daa50fb0d255ebb3e6609fa77d1790dc0f1326c24bad22973d3acad08c89e0

SHA512
3df13499d2e90ce6bd926a39db7ac69c6f66e9b50bdbc10c7345166763f16f1cbad78ae4fa7202aefce930aeb41aaa8f0d16d91cc2da8aa1cbc86bb64848321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IL5IB.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\bg-bottom.png

Filesize
9KB

MD5
495e1b72f1318b9abd18396170a8b73b

SHA1
1f75098efccea494cd6bd1241eca02a9996fcf2f

SHA256
9b86e47b5b3972b1de9d55b53caed3538f7179ddfbc79fca35ce9f30c354c6aa

SHA512
eaa474168ba803b326961ec89a17dedcbec470cc8b412a1206bfd71cb02b6c031fbb3af9ca1e218e19f7780e5b39d36ecfbcc02a3dc71e13cfc8712546f99351

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\bg-top.png

Filesize
51KB

MD5
229152b01d238ac58d066bbdd45219bf

SHA1
b47d2070eb77d723f925f36c902c6cefd5bb1c31

SHA256
acb21fcb80667714749963e8ce2e24b23e3f269de34d8e1734892777cbca2f7e

SHA512
fcf37ba7ae4929d77039b0d90f87cf6523bc7bc4f81ca27c1057f53d93752f0d9603708afaf3e8f460a0e5e67210c8d1eeb44cf95b07919a67a37805b0d63b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\buttons.png

Filesize
7KB

MD5
84d27be69f0f13909dab87c1cb270a29

SHA1
cb3a480bf9d790342e12775b4d50c350475f3bb5

SHA256
ed4b81ffc92f6d41c5d4925f0ac83cd280ad1a781a966d2128275c804f6aa5de

SHA512
290ebef8f3930ffdb0b99df9a99bd419ff591bd83acdb9b49b421a36d920298a05ad8e85dfa7e9e5de8fe9864780eff2af1e85aa5e3fc8b3ce88f074b87bf51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\deviceId.txt

Filesize
36B

MD5
12de1b821f4d568b95338837307e1202

SHA1
ce72d84451021db96397c394c5d1e504e7389ff8

SHA256
ea465b59339415ca5149cd72a6acaae42650be56bae651a6969b3604f7a19f48

SHA512
990533b10391ad0d9398f26b98df49fa76ae9ea09eadf34bffe5e9fcbd4a71e2e2155186f7881f5b5bef0d18d55747c88b4b326ab822d5d14dc5e1d2adbf4232

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P82K3.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAIN8.tmp\VoicemodSetup_2.6.0.7.tmp

Filesize
2.5MB

MD5
3b93628e07e9a9352cb7ea41c59ef578

SHA1
48615d4428539e9f0af70153656f3e8ae4e2589c

SHA256
498cfe20132fe22e726b0fb8c5d6bd6153cc73416567148ab469f78820bc6b60

SHA512
fa180bc3c80220c641d445daa82ca4b195dd4c716e3c9e596546bdb3100e0e3fd8e306d0b88c1cf01ab5fe4ef984965d883605e3ef05540767b819157cdb55c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt

Filesize
7KB

MD5
098586304619f2219868db064665a704

SHA1
2f7731560259fd37695d7c4a79f81647ed004bf7

SHA256
ca5e2b2feb2e26aee3af8c391cc29bfe400f63219141e347d736123639e3d103

SHA512
34b3a4053804c54c7e9d022ee59512ad56bdceae81ecc6f50f9eb8c7c500d144192038738f7c8db2384d3778bf963717e2fd6a1740cb4b4970b253d38ff7a066

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
7KB

MD5
ecee5f66c8595a6d3afb5e69b473b1bb

SHA1
ce4d32005582699015ca2b3fa1ff83f0d36c80cc

SHA256
ee27d35c44b0ad021c7c7993ac09315064ad3cda290a4ea4f69714de6dc0a4b6

SHA512
52bd5c31276c49074f752f8fc516ec1181a8efe251a69140c19d7dfd9b7bcf4d17c17d7c8dd87ad35f9a835eaeaf707cf7930fe8a0c826960f5727831c79fb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ee329ae5-074d-de4b-abe3-12c672902493}\SET9763.tmp

Filesize
4KB

MD5
53bdc7ca40487c4f643db4ff2c1d2fa8

SHA1
91d750b1347831365729f4ce22ba13ea8ae91dfe

SHA256
651b6a24e897b78ac164578a24f97961a3507366db7875765a7ad274d7e787a2

SHA512
8ec9c30c68d40a0fa11a43c872c14dc8d0d44b0a97ff3dd1c276b82c4a1c144ba9043a9cf0716c5f37c2fd95d43fcecc858d2ffc442dcbd4ff43f3cd86b8c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ee329ae5-074d-de4b-abe3-12c672902493}\mvvad.cat

Filesize
11KB

MD5
dca9fa98db5e1e00a86b21a42e0cfddb

SHA1
06381ce9b5c8e52a7c6fbe635cbe1ea063535a4c

SHA256
a75ae4d761054f1ef771434dc2227fc4a130820aae6f6ffb72a2ff62d130fc4f

SHA512
8d7e56e1587ef1d424c2d7765946c34851b51068236411131a3ed4e588605602e741c5d22017b95a5fdb76786809e777f59b67ad4553d69aab6a0653c1446a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ee329ae5-074d-de4b-abe3-12c672902493}\mvvad.sys

Filesize
47KB

MD5
b695055318ef82cc15971b882d71890f

SHA1
86b5d52e404b56245130d5858784aeac25ca67d5

SHA256
1f040cbb99d627bcfa63979b539d6c93e6d5a85c1a103f501aa88b816954b400

SHA512
bae69f3021029934ab195f83ac7c654d90f40350c626972f17ccbcb848c02541b605f987515b0f1a17bb23d84cbfdf845731fdf96022ce272afe4d2a763bffee

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
679d2ce9b15e8ea32d7f1253d4824d0a

SHA1
0dd2b597970b715d49d442ac5cbc13613ebc3d26

SHA256
5ed3450185066b4534715b4ea88865f3b4cc259124170f3fa7e607fbd70978b6

SHA512
ec607dd71e07d917372e7dd36453386e0916ce1b110d24da1e986efafe8877083e63c09b1c9b3b4d55a0c78cd7fa79592175752ede0096c4923f57e060819c05

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7d606394c0f295c89bd2980f3a8cce80

SHA1
7e2b96635d5555a52dbdeddee890f6c405eab0ce

SHA256
53ba11f096d3c856bb5a621c97590d8d2f56c3b356792c3128a7bc008269dd6f

SHA512
d8ac44828fd3a1d10a5d754b65d2d47cd873b9e035bdf691ff8e06b0a811892768aa35aa2ca2b0b974a73b09dec2f39205c0a85df4bd371ff80a12f7dbecf6d0

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json

Filesize
693B

MD5
183a527d74a1fb67e44df1daf85088bc

SHA1
5351b2d4a9bc62ba95166ae0e1bb402ccc3e8e7d

SHA256
819e5dad876408d87e0250c5fb20b27cb674db15017bd199d7f7afa0a2d90a5e

SHA512
62dc05f9c19fde2676bfb71ffae50ef8c666a34f4ec91d7a06f8f08e6ab7ebd70b8191b099726b3372a6f63fe1235f4cc7bdbdbe73767891f950daf7a28e24fd

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json

Filesize
786B

MD5
567a54bc585f20f90acac405dfed1ca6

SHA1
9eef3ff3a6ed2487196a054ccf59748093b2ec77

SHA256
e10dbe777966f6a7360ce90bce5dcd4934b1d7337c9689a764861b3e3c83f60a

SHA512
0984499aeb239f6e8c7dc2d70c9eacf0816764dd479aee85d2f16c652c084c5e5ab1cf7cc0d8aaa179c9e10d6dacfbc93f01046463a41d11cd693559ee6e6a66

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\LocalPrefs.json~RFe61d0bd.TMP

Filesize
484B

MD5
895e69d45f74b5c0a3673c2d6bacf57f

SHA1
198892cdd815817f37d2ef78d470e44ee392d0cd

SHA256
a817ff36239c759999236441fbd89d865e187a132440999821e4436789163965

SHA512
f3f45c2a670cbc2ade08db6e75f7be99e82add83c1160a533a27ca4e13d62f42df29c69733119875427128fa673f884057c6b03ef9d7ab8d70391930d4c7b901

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Network\Network Persistent State

Filesize
697B

MD5
c68c8fb90c4b6bb5563f4ae8c7af9ebc

SHA1
a21d60dc77634c2123aba7047ffac861452df587

SHA256
48f005f4143e7169f0fed57978687cf1d80d032c080d03d1bb0b8e306c1787a4

SHA512
442a0ae1afde3d00f061082e2c4b9ed33dca0480e695b17b87619106668edd456dd93e4343356c7c48356e228c8b2ebf02ee862f8aef00382290fcc770000a29

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\cache\Network\Network Persistent State~RFe61df34.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\settings\voicemod.db

Filesize
16KB

MD5
008c3df1f06914671a4e1260820d6082

SHA1
88fecaddd0496be3ee75bf4ef99a5dc7836c4c2c

SHA256
73a95fab6062e4662cc2816e735e73f935d40b156d5313918cb174bfbc7116f6

SHA512
fe611e085c5bf72b44b18222d76485783b68a9e5e30ce27f9485a179bdffe5657e6221636c75a6d9704f657c9fbd3f52e73a97106de9a8084a99fc5ec5061ee9

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\vmlog.txt

Filesize
6KB

MD5
c236d6623c0883569e411d082b2feb19

SHA1
1e4716fca2fde032de02cb8aca791f62b4958a13

SHA256
14ee08b07ec2cf60edb6d05e933841f7085189fb782c9fb4aa781b553627c6a2

SHA512
8c7b6d4f817ec3e8bef857f98f64d6411c30a846e6d0990c2fa7f1f77e9a44cbb7625a2d98ed91c10b4e58ab01e4390e6fa765a7082b8ccf4a1adf1dc09f1e73

Download Submit
\??\c:\PROGRA~1\VOICEM~1\driver\vmdrv.sys

Filesize
47KB

MD5
0e625b7a7c3f75524e307b160f8db337

SHA1
5088c71a740ef7c4156dcaa31e543052fe226e1c

SHA256
d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3

SHA512
0ad805d11413dcc9d3c549b94a3644fc9c9caa23f0a661c9aef41c1e6f8d91de784817668ff4f34b3f50d738aa8097b2a0ee38de078ed97f5c17635533e9e165

Download Submit
\??\c:\program files\voicemod desktop\driver\vmdrv.cat

Filesize
10KB

MD5
46bb11132e5800c97b9d2c1df6e6fe88

SHA1
83a6cb8f90ce3a805609eaa3472ee480ac30a8b2

SHA256
6bfcc755ffedaefbd2aa94988dbfc2492a185ec1621ccb2db9194d1f83df5ccf

SHA512
fd3de31cf8025e933c8a4966938ab4b59fb9adca41b009c0ef0129bf5297bf4a64e5d4bde662f2aec62ccb3c05bc10c309196c73355cbd409ab4b1f6ba86ad08

Download Submit
memory/1492-2299-0x00000281F44F0000-0x00000281F460D000-memory.dmp

Filesize
1.1MB

Download
memory/3136-2307-0x00000217193A0000-0x00000217193C6000-memory.dmp

Filesize
152KB

Download
memory/3136-2284-0x0000021773C00000-0x0000021773DB3000-memory.dmp

Filesize
1.7MB

Download
memory/3732-1777-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3732-1799-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/3732-1800-0x0000000003610000-0x000000000361E000-memory.dmp

Filesize
56KB

Download
memory/3732-1792-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3732-1860-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/3732-1787-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3732-1797-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3732-1782-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3732-1723-0x0000000003610000-0x000000000361E000-memory.dmp

Filesize
56KB

Download
memory/3732-1840-0x0000000003610000-0x000000000361E000-memory.dmp

Filesize
56KB

Download
memory/4436-1556-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4436-922-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4436-808-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4648-1588-0x0000026A1E000000-0x0000026A1F000000-memory.dmp

Filesize
16.0MB

Download
memory/4648-1586-0x0000026A1DEE0000-0x0000026A1DFFD000-memory.dmp

Filesize
1.1MB

Download
memory/4808-1612-0x000001C3FCE70000-0x000001C3FCE78000-memory.dmp

Filesize
32KB

Download
memory/4808-1566-0x000001C3F44E0000-0x000001C3F454C000-memory.dmp

Filesize
432KB

Download
memory/4808-1615-0x000001C3FCF20000-0x000001C3FCF30000-memory.dmp

Filesize
64KB

Download
memory/4808-1614-0x000001C3FDCE0000-0x000001C3FDD3C000-memory.dmp

Filesize
368KB

Download
memory/4808-1613-0x000001C3FCF10000-0x000001C3FCF1A000-memory.dmp

Filesize
40KB

Download
memory/4808-1611-0x000001C3FDC50000-0x000001C3FDC76000-memory.dmp

Filesize
152KB

Download
memory/4808-1555-0x000001C3F3D20000-0x000001C3F3D3C000-memory.dmp

Filesize
112KB

Download
memory/4808-1610-0x000001C3FDC30000-0x000001C3FDC4A000-memory.dmp

Filesize
104KB

Download
memory/4808-1617-0x000001C399940000-0x000001C39997A000-memory.dmp

Filesize
232KB

Download
memory/4808-1618-0x000001C399900000-0x000001C399926000-memory.dmp

Filesize
152KB

Download
memory/4808-1585-0x000001C39AB30000-0x000001C39BE88000-memory.dmp

Filesize
19.3MB

Download
memory/4808-1584-0x000001C3FDC10000-0x000001C3FDC2E000-memory.dmp

Filesize
120KB

Download
memory/4808-1575-0x000001C3F4720000-0x000001C3F48D3000-memory.dmp

Filesize
1.7MB

Download
memory/4808-1574-0x000001C3F46E0000-0x000001C3F4716000-memory.dmp

Filesize
216KB

Download
memory/4808-1573-0x000001C3F4470000-0x000001C3F447A000-memory.dmp

Filesize
40KB

Download
memory/4808-1572-0x000001C3F4690000-0x000001C3F469A000-memory.dmp

Filesize
40KB

Download
memory/4808-1567-0x000001C3F44B0000-0x000001C3F44D2000-memory.dmp

Filesize
136KB

Download
memory/4808-1616-0x000001C3FDCA0000-0x000001C3FDCB2000-memory.dmp

Filesize
72KB

Download
memory/4808-1560-0x000001C3F43C0000-0x000001C3F43D2000-memory.dmp

Filesize
72KB

Download
memory/4808-1562-0x000001C3F43F0000-0x000001C3F43FC000-memory.dmp

Filesize
48KB

Download
memory/4808-1563-0x000001C3F4400000-0x000001C3F4410000-memory.dmp

Filesize
64KB

Download
memory/4808-1561-0x000001C3F43B0000-0x000001C3F43C0000-memory.dmp

Filesize
64KB

Download
memory/4808-1559-0x000001C3F43E0000-0x000001C3F43E8000-memory.dmp

Filesize
32KB

Download
memory/4808-1558-0x000001C3F3DF0000-0x000001C3F3E0A000-memory.dmp

Filesize
104KB

Download
memory/4808-1551-0x000001C3F3D40000-0x000001C3F3D52000-memory.dmp

Filesize
72KB

Download
memory/4808-1554-0x000001C3F3E60000-0x000001C3F3ECA000-memory.dmp

Filesize
424KB

Download
memory/4808-1669-0x000001C3FCF30000-0x000001C3FCF3A000-memory.dmp

Filesize
40KB

Download
memory/4808-1670-0x000001C3FDC80000-0x000001C3FDC88000-memory.dmp

Filesize
32KB

Download
memory/4808-1692-0x000001C3F48E0000-0x000001C3F58E0000-memory.dmp

Filesize
16.0MB

Download
memory/4808-1671-0x000001C39D510000-0x000001C39DA38000-memory.dmp

Filesize
5.2MB

Download
memory/4808-1512-0x000001C3F12C0000-0x000001C3F17AA000-memory.dmp

Filesize
4.9MB

Download
memory/4808-1557-0x000001C3F4350000-0x000001C3F439A000-memory.dmp

Filesize
296KB

Download
memory/4808-1516-0x000001C3F3ED0000-0x000001C3F3FA2000-memory.dmp

Filesize
840KB

Download
memory/4808-1514-0x000001C3F3D60000-0x000001C3F3DE4000-memory.dmp

Filesize
528KB

Download
memory/4808-1549-0x000001C3F42A0000-0x000001C3F434A000-memory.dmp

Filesize
680KB

Download
memory/4860-3122-0x000002BD65E40000-0x000002BD65F60000-memory.dmp

Filesize
1.1MB

Download
memory/4864-3097-0x000002E279B10000-0x000002E279B1E000-memory.dmp

Filesize
56KB

Download
memory/4864-3198-0x000002E27AA20000-0x000002E27AA2E000-memory.dmp

Filesize
56KB

Download
memory/4864-3081-0x000002E279B50000-0x000002E279BC0000-memory.dmp

Filesize
448KB

Download
memory/4864-3082-0x000002E2611D0000-0x000002E2611DA000-memory.dmp

Filesize
40KB

Download
memory/4864-3083-0x000002E2611E0000-0x000002E2611EA000-memory.dmp

Filesize
40KB

Download
memory/4864-3079-0x000002E279F90000-0x000002E27A040000-memory.dmp

Filesize
704KB

Download
memory/4864-3095-0x000002E27A040000-0x000002E27A052000-memory.dmp

Filesize
72KB

Download
memory/4864-3096-0x000002E279B00000-0x000002E279B0E000-memory.dmp

Filesize
56KB

Download
memory/4864-3098-0x000002E27A060000-0x000002E27A06A000-memory.dmp

Filesize
40KB

Download
memory/4864-3078-0x000002E27A1D0000-0x000002E27A38E000-memory.dmp

Filesize
1.7MB

Download
memory/4864-3099-0x000002E27A4A0000-0x000002E27A4B4000-memory.dmp

Filesize
80KB

Download
memory/4864-3077-0x000002E27A0B0000-0x000002E27A1C4000-memory.dmp

Filesize
1.1MB

Download
memory/4864-3067-0x000002E279BC0000-0x000002E279C94000-memory.dmp

Filesize
848KB

Download
memory/4864-3066-0x000002E25F920000-0x000002E25F930000-memory.dmp

Filesize
64KB

Download
memory/4864-3038-0x000002E25EFC0000-0x000002E25F542000-memory.dmp

Filesize
5.5MB

Download
memory/4864-3204-0x000002E27AB80000-0x000002E27AC7E000-memory.dmp

Filesize
1016KB

Download
memory/4864-3135-0x000002E27A6A0000-0x000002E27A792000-memory.dmp

Filesize
968KB

Download
memory/4864-3134-0x000002E27A4C0000-0x000002E27A4DA000-memory.dmp

Filesize
104KB

Download
memory/4864-3149-0x000002E27A5E0000-0x000002E27A614000-memory.dmp

Filesize
208KB

Download
memory/4864-3142-0x000002E210D80000-0x000002E211A9E000-memory.dmp

Filesize
13.1MB

Download
memory/4864-3165-0x000002E27A670000-0x000002E27A694000-memory.dmp

Filesize
144KB

Download
memory/4864-3167-0x000002E27A870000-0x000002E27A8E6000-memory.dmp

Filesize
472KB

Download
memory/4864-3187-0x000002E27A960000-0x000002E27A968000-memory.dmp

Filesize
32KB

Download
memory/4864-3190-0x000002E27A9C0000-0x000002E27A9CE000-memory.dmp

Filesize
56KB

Download
memory/4864-3191-0x000002E27A9D0000-0x000002E27A9D8000-memory.dmp

Filesize
32KB

Download
memory/4864-3192-0x000002E27AA00000-0x000002E27AA16000-memory.dmp

Filesize
88KB

Download
memory/4864-3189-0x000002E27A970000-0x000002E27A97C000-memory.dmp

Filesize
48KB

Download
memory/4864-3188-0x000002E25EFC0000-0x000002E25F542000-memory.dmp

Filesize
5.5MB

Download
memory/4864-3186-0x000002E27A930000-0x000002E27A93E000-memory.dmp

Filesize
56KB

Download
memory/4864-3185-0x000002E27A9A0000-0x000002E27A9B8000-memory.dmp

Filesize
96KB

Download
memory/4864-3184-0x000002E27A980000-0x000002E27A996000-memory.dmp

Filesize
88KB

Download
memory/4864-3183-0x000002E27A920000-0x000002E27A92A000-memory.dmp

Filesize
40KB

Download
memory/4864-3182-0x000002E27A940000-0x000002E27A95C000-memory.dmp

Filesize
112KB

Download
memory/4864-3181-0x000002E27A900000-0x000002E27A90C000-memory.dmp

Filesize
48KB

Download
memory/4864-3175-0x000002E27A8F0000-0x000002E27A8FC000-memory.dmp

Filesize
48KB

Download
memory/4864-3174-0x000002E27A860000-0x000002E27A86A000-memory.dmp

Filesize
40KB

Download
memory/4864-3199-0x000002E27AA30000-0x000002E27AA3A000-memory.dmp

Filesize
40KB

Download
memory/4864-3080-0x000002E27A390000-0x000002E27A406000-memory.dmp

Filesize
472KB

Download
memory/4864-3197-0x000002E27A9F0000-0x000002E27A9FC000-memory.dmp

Filesize
48KB

Download
memory/4864-3196-0x000002E27A9E0000-0x000002E27A9EE000-memory.dmp

Filesize
56KB

Download
memory/4864-3195-0x000002E27AA50000-0x000002E27AA76000-memory.dmp

Filesize
152KB

Download
memory/4864-3173-0x000002E27A810000-0x000002E27A81A000-memory.dmp

Filesize
40KB

Download
memory/4864-3172-0x000002E27A800000-0x000002E27A808000-memory.dmp

Filesize
32KB

Download
memory/4864-3171-0x000002E27A840000-0x000002E27A854000-memory.dmp

Filesize
80KB

Download
memory/4864-3170-0x000002E27A820000-0x000002E27A83C000-memory.dmp

Filesize
112KB

Download
memory/4864-3169-0x000002E27A660000-0x000002E27A668000-memory.dmp

Filesize
32KB

Download
memory/4864-3168-0x000002E27A650000-0x000002E27A660000-memory.dmp

Filesize
64KB

Download
memory/4864-3157-0x000002E27A7A0000-0x000002E27A7F0000-memory.dmp

Filesize
320KB

Download
memory/4864-3156-0x000002E27A620000-0x000002E27A628000-memory.dmp

Filesize
32KB

Download
memory/4864-3155-0x000002E27A5D0000-0x000002E27A5D8000-memory.dmp

Filesize
32KB

Download
memory/4864-3154-0x000002E27A5C0000-0x000002E27A5C8000-memory.dmp

Filesize
32KB

Download
memory/4864-3153-0x000002E27A500000-0x000002E27A508000-memory.dmp

Filesize
32KB

Download
memory/4864-3152-0x000002E27A0A0000-0x000002E27A0AC000-memory.dmp

Filesize
48KB

Download
memory/4864-3151-0x000002E27A5A0000-0x000002E27A5C0000-memory.dmp

Filesize
128KB

Download
memory/4864-3150-0x000002E27A070000-0x000002E27A07C000-memory.dmp

Filesize
48KB

Download
memory/4864-3166-0x000002E27A640000-0x000002E27A648000-memory.dmp

Filesize
32KB

Download
memory/4864-3164-0x000002E27A630000-0x000002E27A63A000-memory.dmp

Filesize
40KB

Download
memory/4964-1798-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4964-1704-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5072-1697-0x0000020664930000-0x0000020665930000-memory.dmp

Filesize
16.0MB

Download
memory/5724-924-0x0000000003790000-0x000000000379E000-memory.dmp

Filesize
56KB

Download
memory/5724-895-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/5724-1015-0x0000000003790000-0x000000000379E000-memory.dmp

Filesize
56KB

Download
memory/5724-993-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-923-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-1506-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-1390-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-1014-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-900-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/5724-910-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/5724-905-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/5724-890-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/5724-835-0x0000000003790000-0x000000000379E000-memory.dmp

Filesize
56KB

Download
memory/5724-1429-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5724-1552-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5740-1702-0x00000253D1840000-0x00000253D2840000-memory.dmp

Filesize
16.0MB

Download