7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemod Pro by mr.motchy/VoicemodSetup.exe
Size

22.2MB
MD5

2c74a59f3a312c9003e3bdf2f458c87f
SHA1

97b1ede9c186ea36a74bceb1bf5e5689aad99086
SHA256

afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d
SHA512

b5e8810733694aa773c4c3b8a4063e5fddd962b64d2ad697223ddeb7337f09e8c21fc1efdb2c13c854f2e6884940fac217338e0839fd21d2b4db3c2da031a392
SSDEEP

393216:D2MvvQScyvXuaXVTwkBgoEMNBrDXLuzLYzCdcv8p5UPxaMQlBf4PrE:SMvVcysoEcLuzLig5p5UPxtyAP4

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SETC0A6.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SETC0A6.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SETC181.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SETC181.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup.tmp

Downloads MZ/PE file
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEB2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\vmdrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEC4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEB2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEC3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEC3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{54689b67-f2be-0047-a86b-620e798aa0b6}\SETBEC4.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Voicemod Desktop\de\is-OD587.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-1U1EP.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-REBHE.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-2NG7O.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\pt\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-65HL6.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\UninstTools.exe	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-9DPF7.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-CF5K0.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\WpfAnimatedGif.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-8NIS4.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-HHO85.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-9IAFB.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-TSR4L.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\unins000.dat	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-F3R8N.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Fleck.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-G9C2J.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-DAPE0.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-05H7I.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-C75GG.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-CE7HE.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-BOEVO.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-JFP47.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-BADB4.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-HQQ27.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\unins000.msg	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-QGGFJ.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-8N25L.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-EU4UV.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-VFUTK.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-BU3EN.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-KIQJS.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\pt\is-RGOC8.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\devcon.exe	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-6POU7.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\NAudio.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\pt\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-CFMTK.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-OEVC4.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\System.Text.Encodings.Web.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-HUBHB.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-M8HDG.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-G0FHR.tmp	VoicemodSetup.tmp

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File created	C:\Windows\INF\oem0.PNF	devcon.exe
File created	C:\Windows\INF\oem1.PNF	devcon.exe
File created	C:\Windows\INF\oem2.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\c_media.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 11 IoCs

pid	Process
4844	VoicemodSetup.tmp
4780	vc_redist.x64.exe
4108	vc_redist.x64.exe
3932	vc_redist.x86.exe
1440	vc_redist.x86.exe
1828	SaveDefaultDevices.exe
3244	devcon.exe
408	devcon.exe
3552	devcon.exe
2700	VoicemodDesktop.exe
1188	VoicemodDesktop.exe

Loads dropped DLL 10 IoCs

pid	Process
4844	VoicemodSetup.tmp
4108	vc_redist.x64.exe
1440	vc_redist.x86.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4844	VoicemodSetup.tmp
4844	VoicemodSetup.tmp
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1188	VoicemodDesktop.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeAuditPrivilege	4108	svchost.exe
Token: SeSecurityPrivilege	4108	svchost.exe
Token: SeLoadDriverPrivilege	408	devcon.exe
Token: SeRestorePrivilege	4624	DrvInst.exe
Token: SeBackupPrivilege	4624	DrvInst.exe
Token: SeRestorePrivilege	4624	DrvInst.exe
Token: SeBackupPrivilege	4624	DrvInst.exe
Token: SeRestorePrivilege	4624	DrvInst.exe
Token: SeBackupPrivilege	4624	DrvInst.exe
Token: SeLoadDriverPrivilege	4624	DrvInst.exe
Token: SeLoadDriverPrivilege	4624	DrvInst.exe
Token: SeLoadDriverPrivilege	4624	DrvInst.exe
Token: SeLoadDriverPrivilege	3552	devcon.exe
Token: SeRestorePrivilege	836	DrvInst.exe
Token: SeBackupPrivilege	836	DrvInst.exe
Token: SeRestorePrivilege	836	DrvInst.exe
Token: SeBackupPrivilege	836	DrvInst.exe
Token: SeRestorePrivilege	836	DrvInst.exe
Token: SeBackupPrivilege	836	DrvInst.exe
Token: SeLoadDriverPrivilege	836	DrvInst.exe
Token: SeLoadDriverPrivilege	836	DrvInst.exe
Token: SeLoadDriverPrivilege	836	DrvInst.exe
Token: SeLoadDriverPrivilege	836	DrvInst.exe
Token: SeDebugPrivilege	2700	VoicemodDesktop.exe
Token: SeDebugPrivilege	1188	VoicemodDesktop.exe
Token: 33	1692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1692	AUDIODG.EXE
Token: 33	2700	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	2700	VoicemodDesktop.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4844	VoicemodSetup.tmp
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe
2700	VoicemodDesktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4844	1192	VoicemodSetup.exe	92
PID 1192 wrote to memory of 4844	1192	VoicemodSetup.exe	92
PID 1192 wrote to memory of 4844	1192	VoicemodSetup.exe	92
PID 4844 wrote to memory of 4780	4844	VoicemodSetup.tmp	109
PID 4844 wrote to memory of 4780	4844	VoicemodSetup.tmp	109
PID 4844 wrote to memory of 4780	4844	VoicemodSetup.tmp	109
PID 4780 wrote to memory of 4108	4780	vc_redist.x64.exe	110
PID 4780 wrote to memory of 4108	4780	vc_redist.x64.exe	110
PID 4780 wrote to memory of 4108	4780	vc_redist.x64.exe	110
PID 4844 wrote to memory of 3932	4844	VoicemodSetup.tmp	111
PID 4844 wrote to memory of 3932	4844	VoicemodSetup.tmp	111
PID 4844 wrote to memory of 3932	4844	VoicemodSetup.tmp	111
PID 3932 wrote to memory of 1440	3932	vc_redist.x86.exe	113
PID 3932 wrote to memory of 1440	3932	vc_redist.x86.exe	113
PID 3932 wrote to memory of 1440	3932	vc_redist.x86.exe	113
PID 4844 wrote to memory of 1828	4844	VoicemodSetup.tmp	114
PID 4844 wrote to memory of 1828	4844	VoicemodSetup.tmp	114
PID 4844 wrote to memory of 320	4844	VoicemodSetup.tmp	116
PID 4844 wrote to memory of 320	4844	VoicemodSetup.tmp	116
PID 320 wrote to memory of 396	320	cmd.exe	118
PID 320 wrote to memory of 396	320	cmd.exe	118
PID 396 wrote to memory of 3244	396	cmd.exe	119
PID 396 wrote to memory of 3244	396	cmd.exe	119
PID 320 wrote to memory of 408	320	cmd.exe	120
PID 320 wrote to memory of 408	320	cmd.exe	120
PID 4108 wrote to memory of 3952	4108	svchost.exe	122
PID 4108 wrote to memory of 3952	4108	svchost.exe	122
PID 4108 wrote to memory of 4624	4108	svchost.exe	123
PID 4108 wrote to memory of 4624	4108	svchost.exe	123
PID 320 wrote to memory of 3552	320	cmd.exe	125
PID 320 wrote to memory of 3552	320	cmd.exe	125
PID 4108 wrote to memory of 836	4108	svchost.exe	126
PID 4108 wrote to memory of 836	4108	svchost.exe	126
PID 4844 wrote to memory of 2700	4844	VoicemodSetup.tmp	130
PID 4844 wrote to memory of 2700	4844	VoicemodSetup.tmp	130
PID 2700 wrote to memory of 2264	2700	VoicemodDesktop.exe	185
PID 2700 wrote to memory of 2264	2700	VoicemodDesktop.exe	185
PID 2700 wrote to memory of 100	2700	VoicemodDesktop.exe	191
PID 2700 wrote to memory of 100	2700	VoicemodDesktop.exe	191
PID 2700 wrote to memory of 1500	2700	VoicemodDesktop.exe	203
PID 2700 wrote to memory of 1500	2700	VoicemodDesktop.exe	203
PID 2700 wrote to memory of 4588	2700	VoicemodDesktop.exe	211
PID 2700 wrote to memory of 4588	2700	VoicemodDesktop.exe	211
PID 2700 wrote to memory of 1348	2700	VoicemodDesktop.exe	210
PID 2700 wrote to memory of 1348	2700	VoicemodDesktop.exe	210
PID 2700 wrote to memory of 3720	2700	VoicemodDesktop.exe	149
PID 2700 wrote to memory of 3720	2700	VoicemodDesktop.exe	149
PID 2700 wrote to memory of 1680	2700	VoicemodDesktop.exe	153
PID 2700 wrote to memory of 1680	2700	VoicemodDesktop.exe	153
PID 2700 wrote to memory of 100	2700	VoicemodDesktop.exe	191
PID 2700 wrote to memory of 100	2700	VoicemodDesktop.exe	191
PID 2700 wrote to memory of 3092	2700	VoicemodDesktop.exe	188
PID 2700 wrote to memory of 3092	2700	VoicemodDesktop.exe	188
PID 2700 wrote to memory of 4232	2700	VoicemodDesktop.exe	159
PID 2700 wrote to memory of 4232	2700	VoicemodDesktop.exe	159
PID 2700 wrote to memory of 768	2700	VoicemodDesktop.exe	161
PID 2700 wrote to memory of 768	2700	VoicemodDesktop.exe	161
PID 2700 wrote to memory of 4588	2700	VoicemodDesktop.exe	211
PID 2700 wrote to memory of 4588	2700	VoicemodDesktop.exe	211
PID 2700 wrote to memory of 992	2700	VoicemodDesktop.exe	165
PID 2700 wrote to memory of 992	2700	VoicemodDesktop.exe	165
PID 2700 wrote to memory of 1896	2700	VoicemodDesktop.exe	216
PID 2700 wrote to memory of 1896	2700	VoicemodDesktop.exe	216
PID 2700 wrote to memory of 2844	2700	VoicemodDesktop.exe	215

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\is-3DMC2.tmp\VoicemodSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3DMC2.tmp\VoicemodSetup.tmp" /SL5="$D01BE,22991991,87040,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x64.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\Temp\{693025AB-A27F-407E-B331-7817D84AF77C}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{693025AB-A27F-407E-B331-7817D84AF77C}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4108
- - C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x86.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x86.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\Temp\{17D569B5-A769-45FB-8EC0-B4573D90837E}\.cr\vc_redist.x86.exe
      "C:\Windows\Temp\{17D569B5-A769-45FB-8EC0-B4573D90837E}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x86.exe" -burn.filehandle.attached=548 -burn.filehandle.self=544 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1440
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:1828
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "devcon.exe dp_enum"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
        
        devcon.exe dp_enum
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:3244
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon install vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:408
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon update vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-alien-vocoder*.wav
      4⤵
      PID:2264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-background*.wav
      4⤵
      PID:100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-vocoder*.wav
      4⤵
      PID:1500
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-aphonic-vocoder*.wav
      4⤵
      PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-beach*.wav
      4⤵
      PID:1348
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-capella*.wav
      4⤵
      PID:3720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-reggae*.wav
      4⤵
      PID:1680
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-rock*.wav
      4⤵
      PID:100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cave*.wav
      4⤵
      PID:3092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-chase*.wav
      4⤵
      PID:4232
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-radio*.wav
      4⤵
      PID:768
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background*.wav
      4⤵
      PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background-in*.wav
      4⤵
      PID:992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-background*.wav
      4⤵
      PID:1896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-vocoder*.wav
      4⤵
      PID:2844
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-background*.wav
      4⤵
      PID:3944
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-vocoder*.wav
      4⤵
      PID:1500
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-harmony-vocoder*.wav
      4⤵
      PID:3932
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-in*.wav
      4⤵
      PID:2168
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-loop*.wav
      4⤵
      PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-bee*.wav
      4⤵
      PID:672
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-growl*.wav
      4⤵
      PID:2864
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-leopard*.wav
      4⤵
      PID:2648
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-tiger*.wav
      4⤵
      PID:3092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-magic-chords-vocoder*.wav
      4⤵
      PID:1196
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-background*.wav
      4⤵
      PID:2336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-vocoder*.wav
      4⤵
      PID:1348
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-possessed-background*.wav
      4⤵
      PID:4816
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-background*.wav
      4⤵
      PID:1512
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-vocoder*.wav
      4⤵
      PID:1896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-paris*.wav
      4⤵
      PID:1448
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1500
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-ulala*.wav
      4⤵
      PID:3764
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-santa-background*.wav
      4⤵
      PID:2912
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2168
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sleepyhead*.wav
      4⤵
      PID:428
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spacemen-background*.wav
      4⤵
      PID:1348
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-ovation-background*.wav
      4⤵
      PID:2200
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4816
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-protest-background*.wav
      4⤵
      PID:2748
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2844
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-background*.wav
      4⤵
      PID:1896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-vocoder*.wav
      4⤵
      PID:4020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-action-background*.wav
      4⤵
      PID:1828
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-drama-background*.wav
      4⤵
      PID:2336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-happy-background*.wav
      4⤵
      PID:5020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-hall*.wav
      4⤵
      PID:3720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-playtime*.wav
      4⤵
      PID:2864
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2200
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sword-background*.wav
      4⤵
      PID:2764
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2748
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-underwater*.wav
      4⤵
      PID:4676
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-1*.wav
      4⤵
      PID:4020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-2*.wav
      4⤵
      PID:1828
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-3*.wav
      4⤵
      PID:2336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-4*.wav
      4⤵
      PID:876
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-1*.wav
      4⤵
      PID:3620
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-2*.wav
      4⤵
      PID:1512
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-3*.wav
      4⤵
      PID:2592
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-4*.wav
      4⤵
      PID:4580
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-background*.wav
      4⤵
      PID:1900
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder*.wav
      4⤵
      PID:2912
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1828
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder2*.wav
      4⤵
      PID:3648
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cooltune-vocoder*.wav
      4⤵
      PID:876
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-punk-vocoder*.wav
      4⤵
      PID:992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx01*.wav
      4⤵
      PID:3944
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx02*.wav
      4⤵
      PID:4772
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx03*.wav
      4⤵
      PID:4432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx04*.wav
      4⤵
      PID:1428
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx05*.wav
      4⤵
      PID:2908
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx06*.wav
      4⤵
      PID:1264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx07*.wav
      4⤵
      PID:1732
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx08*.wav
      4⤵
      PID:4460
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx09*.wav
      4⤵
      PID:3044
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx10*.wav
      4⤵
      PID:3512
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx11*.wav
      4⤵
      PID:4676
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx12*.wav
      4⤵
      PID:4236
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx13*.wav
      4⤵
      PID:428
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx14*.wav
      4⤵
      PID:5080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx15*.wav
      4⤵
      PID:1680
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar1*.wav
      4⤵
      PID:1732
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar2*.wav
      4⤵
      PID:4332
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar3*.wav
      4⤵
      PID:2748
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar4*.wav
      4⤵
      PID:3764
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar5*.wav
      4⤵
      PID:1432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar6*.wav
      4⤵
      PID:4928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky1*.wav
      4⤵
      PID:3056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky2*.wav
      4⤵
      PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky3*.wav
      4⤵
      PID:1864
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky4*.wav
      4⤵
      PID:2200
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky5*.wav
      4⤵
      PID:408
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-exo*.wav
      4⤵
      PID:4780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-gameover-amb*.wav
      4⤵
      PID:2988
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-outofrange*.wav
      4⤵
      PID:4288
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder1*.wav
      4⤵
      PID:4092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder2*.wav
      4⤵
      PID:1264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder3*.wav
      4⤵
      PID:4960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part1*.wav
      4⤵
      PID:992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part2*.wav
      4⤵
      PID:1948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx16*.wav
      4⤵
      PID:2844
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx17*.wav
      4⤵
      PID:3652
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx18*.wav
      4⤵
      PID:2116
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx19*.wav
      4⤵
      PID:1476
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx20*.wav
      4⤵
      PID:3720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-bass*.wav
      4⤵
      PID:876
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-octava*.wav
      4⤵
      PID:3084
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-quinta*.wav
      4⤵
      PID:4984
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-tercera*.wav
      4⤵
      PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b335cedc-5559-4f4c-80fa-ceaa0c53c71e}\vmdrv.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3952
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "0000000000000108"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "0000000000000144"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:836

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\637d9949dfd142e2997ffb4c40ef1a21 /t 3628 /p 2700
1⤵
PID:224

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
2.8MB

MD5
60271d3806a3def814980266fd07f32d

SHA1
b862f3c346ef7d5834c5196dd5596c39296ceb17

SHA256
d2a3683c8078509b09d97da2d190dc9c19f52d22003e31bf29e352beb611be91

SHA512
5c351025379106f857c6a67defea313ab625a419c6bf10ddc6d6e9155826e990181b2e400ced40a6182893cae706a999f3b7516549ebd17b50f0f2070efc4408

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
8KB

MD5
4bff4b706028b0c1a4493478a41b6075

SHA1
0ebaa8b02aafee8a45b282c09bc59525e81eb2ee

SHA256
71245f7de6f8cd1855194be81c191f8435fbe62b780f40fadfbce1efabb21f44

SHA512
10c1b88fea7298610a9a8a78b83319fc8b3299513879031f63292de7c90520ecf3c2009ab8eb00a9f0ee262a4f433d272150db42a7e94fb20bb63b66e06c8f49

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\defaultdevices.txt

Filesize
79B

MD5
0e5eb142f749641ed53bbe3ef1dbe117

SHA1
a6d2fe121719a6b7fb1643ee5943400dc76110bb

SHA256
1858a607f47d5d33bc078209c49257888a1e1d1ffd7efe7c6045c627784de0f3

SHA512
164d12352a1593abcbf373471b36a73fc7674efb6d5673a67380d17da172b8ad0f0e6f307c014d0f0c92e71c344417db089a273086068a89c220440c50bebd49

Download Submit
C:\Program Files\Voicemod Desktop\driver\devcon.exe

Filesize
103KB

MD5
8d54022fb70fd952257ca4ea17efabc6

SHA1
8f0af9538ae263ead5d310b8cf393f46b0e4689e

SHA256
4bee65c38784c64888c12dc35fc706051dcdb32b4949766e83ad260096601812

SHA512
38a020b700b463331918c055bba8cd1e4281231954d854ad9b10d1da746f495afed5b110401266edfeb31416d2b0308209da1391ac0d1401da25546b380df38f

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
110B

MD5
8a8790395e17b81e5638c805d25f1aad

SHA1
da8fa73c457715c8a9c52e93f640bc34983f6a14

SHA256
8d0ee2177712918bde4be1fdba8d87815863d864a993a3361459ce194131f6a3

SHA512
9eb26cd0bc8e0d41ba4acb34eb4e809317dc5f7e1a0f7e6671dd64f6deb7720ffbfaff76b94e24162ddd992582793bb8f94227cd7b59fccb0234d753862fec75

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
90df9e95ac9ce0911012063619c7f6db

SHA1
4d942854cfd3b5e21327a0c8a7366c570ef63a4e

SHA256
883f7763a00f6419f7acc21a1772077e16b432dd1b6d15ba092a3a3a19667bc3

SHA512
6513d48c996f845bf1635552fbda26c68c57a0cfb7dde0e92181378b9724cd69d80b5d0f2e5fea2c9dcca03f668e4da81fbbffbb2c356f301bbee6baddb525bc

Download Submit
C:\Program Files\Voicemod Desktop\driver\vmdrv.inf

Filesize
4KB

MD5
69ffb954ea5d86423e3119b1243245aa

SHA1
21b7dfed35ae606d6dd3a4084a9d2f23d5e0c0fe

SHA256
fdc1514450a4eac615d959e17e527c6d69cfe92871626b39bc38a096a439a45d

SHA512
bc6130d3e989109f246af6c5db4e1a08c6363dacbce25d7dc164c8d4a1f89682b6afb761ef1199d17eb35198b9dc60e6bbbe5c91e37739d42565a8039e5ca410

Download Submit
C:\Program Files\Voicemod Desktop\lib\Fleck.dll

Filesize
43KB

MD5
6d146f7df192621476283af335fd4180

SHA1
23856ece8d35a46fab20d999baec69b995819ff4

SHA256
65ae6fc064fe4e079fd7a462b79694b22275307723e0127dfe5c33132d30f902

SHA512
7d414ce663f2f1ac115335ab2f9454f6001fa175c71d49c6d09e0c3f3f1003809e56f7fba88a8d04b9e34a8032c3e4d2e467b30d12f7483ec60fee350a2fcef1

Download Submit
C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll

Filesize
43KB

MD5
366cd5572e467b3b06515cfb4ab036ad

SHA1
156f75191d06905003a7ab811880556af8dad44a

SHA256
f84935be717e1c49a54c1d7f8476243a4d34c0ea90c4ad13afe3f50164ba5f2e

SHA512
96c4d4c8c05478dc124cbaaa3d36b304697edb1d0e7ae197c786f04e76df516cbf093d4aeae8cfeb9182f22c3758e93e242d43e8510935be473c1c0637a03e21

Download Submit
C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll

Filesize
638KB

MD5
f33cbe589b769956284868104686cc2d

SHA1
2fb0be100de03680fc4309c9fa5a29e69397a980

SHA256
973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278

SHA512
ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

Download Submit
C:\Program Files\Voicemod Desktop\lib\RawInputProcessor.dll

Filesize
21KB

MD5
33f6ad87b6d8128b831be2884cb4ab2e

SHA1
e4277426445197a7ae4463b7732ccb282fcecf42

SHA256
ee069a485d30cebc1c56f25d2c1b418c13bf685065f1a3c2976bbec42f5b53b9

SHA512
f7104bc09bc4ce4f773fc2637a0952adef836715a6298545a7124364aaa94124e2cea699672113805911b942758128255394361baa42997f02769b7df454c2e1

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.RawInput.dll

Filesize
24KB

MD5
c424d62f5045d6e2800c7fdef5f1697d

SHA1
434e533928d6da0da41201d6e4b0baa97ac93b91

SHA256
727e4f5e311b1f582bc89ae9e2c3cd585b7952c433b6e7656521bac05811f651

SHA512
0e5a564d9de35eb3747350c4ff7e456cd8b544f89641c7bc7df03008c30ff0eae53b3d5c5744fc736fe9aab27d638455ad221499a2b13f2084cfb602f13fc114

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.dll

Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Program Files\Voicemod Desktop\lib\SimpleConverter.dll

Filesize
10KB

MD5
f39f4d5a10201198b0789e10a915baa6

SHA1
f81e7ffe073217a48adf0d794261aa69ee943ec4

SHA256
f6d536162aed7f088b7d7d4bd18f33373f912cf6c3c2699cd7703ea2eef05cbe

SHA512
c337808b1f8436453f9b46057eb66b206e54d4810a11be11d125b1b92c31ab16d1faa4221d58c5e3813ecc3d7afe28d00a5fb9118d89b9d32558608d4e71d56c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll

Filesize
22KB

MD5
68cb781b645a287646e211ff3133fbe4

SHA1
20f79d9aff52da78a2cd946a1c4c6f5b2cd062d3

SHA256
f99f25bdfa5ea1a40fc219738ea3e56657a2119bd9d07c3961a168a72ab37f9e

SHA512
69b3e636f53e684fb2d1a1a183a8d3131c33d357269f4a009f8f0690c9662dee62b63be1bb79c0aecdc16f3320e616700971a1af5749a1d3af5dde6bf1335269

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll

Filesize
14KB

MD5
67f3a5fd99bc104a01a906df6f5896e3

SHA1
39527769e186278029a6d4303cb3015ac90d5c01

SHA256
8f2c68dd604321d09343b5566b74d72527e78ad717fc41e91d48ce931a8eedb0

SHA512
e46dc143ca5a73ba2215bf7cc5e9c530ea163db55418291bf2f2a8f83ec2084b025e0269f398d92c14f8fc5b182e08ab2868f288c559454c8ab5c517cf393995

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll

Filesize
22.4MB

MD5
a88987bb53e80e790611ead096add25b

SHA1
e4c7965384d4c467f228dcd83eb16754c47377cf

SHA256
0286fcd7d25ae394323ce46b23d800f966e4da4d8441d51d6d74f3943cd69b0f

SHA512
d21069e03636036b8484ec9e37cf5d56468b80b281923ca79607d56cfe7f2befaf1981850702958e07a28d95029bd2f42a1d5bb09c83e5da541dec58ec9c752c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodShockets.dll

Filesize
12KB

MD5
80e49cafaed9e42fed7380ef96f22922

SHA1
f6cb4095d3fbeb4f06f829ab13fe979c64728c7c

SHA256
3c560d555221dc58b10de2edbedab07541b9673e686279c883ee955646096f2c

SHA512
16f02c89b425aa8412d92945ddd1a8a87b78ffabb033a125ee9df5a51430fa2806579c710c7f9832a172a20919dffd33e98eecca512a98b3271053567a17d09c

Download Submit
C:\ProgramData\Voicemod\Temp\sdk-custom-fx01_44100.wav

Filesize
524KB

MD5
2516ae38a1111603415a6e333b774f38

SHA1
5c1803b3e5542a23db25f5fc55afa66ac0cae8dc

SHA256
4312292ed70789b7bbc6363df24ef91f98f19ad47d7458af2468031da23f0a24

SHA512
aa83d86e15fb5eb9ca627f9d35919ad126f2fd0eb107e0de9f1c5bbc9f126405e489549d11b13003ee1ff3c72604f1b7684a8562c4c5efe104d118e938f46d49

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-custom-fx01.dat

Filesize
136KB

MD5
9e00c46f54c86ca14352960177e37b7c

SHA1
b41333fb5f8572d989136fdfc95791a7b5d9d563

SHA256
053c5a457729cf059c6bf023fc693246635b147040066e0953f5b5e119e68037

SHA512
1a2afa13b114e64b24d8823ed2df6d6b2a3829c49f90b09145d2ecc7b92423200e1f61c7dd657c567b3045902ee0e6c252f4d7d5567cdae9d637ee9b53ad8375

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-walkie-terror-1.dat

Filesize
13KB

MD5
0ac77f83d2d00526db401718f13519c2

SHA1
6e1755c5ff69ca23ffd2af543b65fc299bc6a3ca

SHA256
254cca4fe05e8cb0b4d8ddd977258f1e780bb12f6d473e407e8445d1022649a8

SHA512
9336d5dd34e35b5199cc1fbe5cd98ad2d2f2d6fb9926907e8a78121fb58e9c17b320630e0f673bb70b2d1487b84654176ffb12cccb3cf1e7fa5317ce3d1ec64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
9bf701112a730dbc3a81e07bc565e108

SHA1
03092a0fd1173c5bf312c58440f5ce9349b8dd4a

SHA256
7e8f428ef338fcb2f45b59d75629ac0c736b522f890c3bc0670dcd709ffb08e0

SHA512
cf6ff5207930e793194c0dd49bd71f0c45240b080a448d09ecee08a2a98fb92729be1189c6ee1f1a58bda6c66f9bba41eb2aeebc6df4550c2282667b907f6114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
471B

MD5
0a49019fdaf6b55459882b21ea2d0d41

SHA1
b40c430bb65be2451574ccb1512ea6e09478bafe

SHA256
87b0458b2beebb6821ec81768c8bc8d6d1bafd8d02248a44d57812ab4cb6bba1

SHA512
9e3498dd9d4d18a5e4fda602a96220917329a03f63db9f8c385f0323faf419164201741eb5dc838cfeb799038f938260df92c9d8db0c15e0b14c517301e08c74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
9b088e69a7af824d8dee140790e2c935

SHA1
4e7ad924ce84522bdb90f33fc52ae71021ea5644

SHA256
771261cd9c10d9fb6c6d46126d48a4e0e60da5173e9ffa1cdcb6ef1e14087043

SHA512
75c091f30c5fdf7536a41dc05891b599d1e110712f0588c722273223f873b244945d136be7e3a3be92059a74b10c8c40b419cb749d48be62ddbb50eae3981944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
408B

MD5
fd5645adf88379e56ae8c1f6a2715031

SHA1
2c25c76f8d70d7fa0b0644a0a3e4bd178a567bc0

SHA256
44ac3322521dd3cdb519d4809eecf1f5f1d6393e0b93800b43638ae23f07c94e

SHA512
5575a01c38d8e8067c2ef3d0d0cf27c9a574956973c866ead33390204502f4e9bbf2d1b4643bc1c2ee3ebe1f07f812a1b9db4460984e289b08965d18906d0c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoicemodSDKDotNET.Amd64.1.3.0.7\VoicemodSDK.dll

Filesize
22.3MB

MD5
6b0543fb8961eeb922ca06caae8352f3

SHA1
8b266885db9a88f2f89078eee5d2b2bd0f5a0918

SHA256
e3dea719f31d200f4e9719d5a8e7e34ff385652bec82c2ee7fbbc48ac888fa1b

SHA512
9cb787d924d61cee4708941d52345e68998aaf230403bef0a1c73e5755f11a6fa19be917d9038617f485d3bc8ef46b90fab0bf3a0e1bb2f292dedba9c6463087

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3DMC2.tmp\VoicemodSetup.tmp

Filesize
737KB

MD5
1a9f24ba757fd08f3b4db5570cd1bfd0

SHA1
6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d

SHA256
326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956

SHA512
bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x64.exe

Filesize
14.6MB

MD5
d87640d43d161241d461949812e91d60

SHA1
1ba9c101bf77557d5ee9da6f967d94e1ca629f00

SHA256
5b0cbb977f2f5253b1ebe5c9d30edbda35dbd68fb70de7af5faac6423db575b5

SHA512
bb15e7465bdfb60ed9379a76c29eac5d76bf18c1f4bcfabc15b1aaf22624b1d389afbcb9f83bf638e2b0adad48cc324f437fad3150fd54c402723d2dd3dc02ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEUQS.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
310f8aadd8055f8b8eba1a6528be7d10

SHA1
3ee9622151e4b50837fcdfac1b085430f0181f4e

SHA256
54ad46ae80984aa48cae6361213692c96b3639e322730d28c7fb93b183c761da

SHA512
2872a30939f7ee20b494806574cf5b8b5a0976f8fe69bdbd77dde2483ce2a9e5458ff3636147e49a449e941a44ca2d79239e3da62fddb69fc5bced8ee1004ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{b335cedc-5559-4f4c-80fa-ceaa0c53c71e}\vmdrv.sys

Filesize
44KB

MD5
31acfc46ce310b4fa7750c3db047154e

SHA1
d99d6f7d2bad8dcac0516170f9b1c29946eef4f3

SHA256
1f6cbdc32658ffcf48f6a037302f96c515febe16b459eeddd9c5624d5be91182

SHA512
9f1edb81bd70d216afe265ccf8b0ebe3a62f2bb31204339402e250b7e844ae9ed7aba84754d21ddf2f5854e406cb36fac346501d321113c784d54dffb170807a

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\001xzzhy.newcfg

Filesize
2KB

MD5
6c652d91f396d4bf687babb8559fd124

SHA1
6048842e90b6a7e23ea903a3a5d131959bf96ca3

SHA256
d2f4f8c3fd2ea54c35cbd5496993fc03000f9f86a152f3b2885c0c7e6203ed4d

SHA512
c7b7937a3f7187409451c8e4637c0e742a5d8dd865953378065b5b4c2af7df77b3d7b621906ff1b9776f69c451e00cc36ab608ac700538448ccbde904b8f98d8

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\00kp35np.newcfg

Filesize
1001B

MD5
bd2a8ab2f630b4f34a01ecb1c567b437

SHA1
6906e247137dd3ec9e95502887b1c603a85c7100

SHA256
f6e5c2fd2a7e314257c0cbc990678518f8205a0ed773d5cebdcd732d2f566bed

SHA512
ad100192b2382bdccd9924ac392b5b9c20321855d9ebd1b9a1ca0a58b0049535ac58c242567349ccefe9da63cf8bb7f74567176302231eff428b0063604695b3

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
1KB

MD5
a0a290a0290c79783beeb81ead47b683

SHA1
f0b541af9458e3ae0e70c260964e77021a47b621

SHA256
44649571dbbbd07d6e457a576fa6f16e6b8cdf69f57f75e97a3bdac8736c833a

SHA512
4f3153e9a57bac0ceac502af4dfd85486e0cf87d7edfff6db3c1fc5eec0e7760eb81131b3a43ac41db96973d3610191422ea9840adc05ebd1d3f6d3538d1372f

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
332B

MD5
9fdcac422aba9a832c4e1ba63c4f5633

SHA1
9d702a9454da3907bdd2cdee1cc7a792b25c2c6e

SHA256
733e489330d34542d6f8eca88b68115b6611f7cc4c44abe8433fe190784fce2d

SHA512
d759f45448cf0e9beac03e1c3a967a2d1d80d4155aa78128c33afa62c47f616399cf3c14f087707220e17d63153d17ebc8b9a66fff64f9cadadd9771ffbba56c

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
580B

MD5
850b92922b6a569b4da027c1caf7a7cd

SHA1
852e09d5b0ccd4e11e0d8b2c1c084eae560aca07

SHA256
1551dd11ef2a6dd31557ece197d2db5d1a54ba79a71436824f3d6c0a976eda33

SHA512
d23614ac73fd233760cc26ec81418ba77175c56ac20d1cc933da06f79cc367e80a1a2e617c6eef3e120180956bacc749657d4624f9629116c19a5bc9948bb449

Download Submit
C:\Windows\Temp\{17D569B5-A769-45FB-8EC0-B4573D90837E}\.cr\vc_redist.x86.exe

Filesize
881KB

MD5
9df0848b2753e9255f1a6b4cdc9a5a3e

SHA1
051469cd9e786b720ef6b70c35a1e184a643f520

SHA256
59089badd61acb47a07748c9018d3a959cf58f07de9902b0c45dffae3e566090

SHA512
518a78e77515b2fb21c5f66a760473a1f8ab5050e9bc65a4715ab178e568079f11f65fc173db59dd021b69fe0b606c42e50bf5f09a34ba2009a7b71e88033452

Download Submit
C:\Windows\Temp\{693025AB-A27F-407E-B331-7817D84AF77C}\.cr\vc_redist.x64.exe

Filesize
881KB

MD5
77e7adac36b6c0aa3497ab855328742b

SHA1
b14c603c4c5c7fae6e64ae1a3adb73bd2c276dfa

SHA256
8bdb6303852e0321a48156565a5f09a3ecd9f327123542453e0c086d1a9d0afa

SHA512
5ce7a058da003d551373367055760ed49492deab71ac400e39f1ad285139c0d6ea7394c2c2210e6977d123ae4bdbabae9cdc94b77726ded07268ee41765c2f54

Download Submit
C:\Windows\Temp\{6A0802AB-A1E5-461B-9F1D-5E0BB101F3EE}\.ba\1036\license.rtf

Filesize
136KB

MD5
1da77b492870266e67626ce000528425

SHA1
bbde5f2e5c744bf7eb4931ad0be883bd8a89cee2

SHA256
84cfc67f98d7553ab6af43e9b8d89138a9f46d0fd9291a441d7fe73f5c1a9dc6

SHA512
1efbf899fd722d5ebe2b885deb37da601c4291000761ba1825b4a76c2b51d5b69e1e03106ef0e29a108cc6b8ba8ec69ee7c7af641fabdcb1154a35d3dcb263b1

Download Submit
C:\Windows\Temp\{DC34FF2E-EF22-4891-B09B-F42674825F10}\.ba\1055\license.rtf

Filesize
177KB

MD5
f1a281f74d3e91d16dd26d1f313cd8a9

SHA1
ddb2ca9032c5a9c091eac53b679f6ba428077b00

SHA256
f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25

SHA512
484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625

Download Submit
C:\Windows\Temp\{DC34FF2E-EF22-4891-B09B-F42674825F10}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{DC34FF2E-EF22-4891-B09B-F42674825F10}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\??\c:\program files\voicemod desktop\driver\vmdrv.cat

Filesize
10KB

MD5
2a806a9b70eeba9507bba3f6f44aab0b

SHA1
9577336a7c441c6df360a598e89eef7a3c765ff2

SHA256
488b32ba019c0db448d0669f70bdf564d0f4bd23c7f9592d185474b0d62c763a

SHA512
197a4bd6427c8be1d5a1eca2faa98b1cfcddc7bb53210ddb20e5916b55fe5c4064639932042855db6dac371bea30ca13d9403cd4d8679ea093930694cd37980e

Download Submit
memory/1192-444-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1192-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1192-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1192-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2700-427-0x0000022C940E0000-0x0000022C940EA000-memory.dmp

Filesize
40KB

Download
memory/2700-425-0x0000022C92230000-0x0000022C92502000-memory.dmp

Filesize
2.8MB

Download
memory/2700-484-0x0000022CACF30000-0x0000022CACF38000-memory.dmp

Filesize
32KB

Download
memory/2700-485-0x0000022CAE880000-0x0000022CAE8B8000-memory.dmp

Filesize
224KB

Download
memory/2700-486-0x0000022CAE840000-0x0000022CAE84E000-memory.dmp

Filesize
56KB

Download
memory/2700-487-0x0000022CB2660000-0x0000022CB26A0000-memory.dmp

Filesize
256KB

Download
memory/2700-491-0x0000022CAE860000-0x0000022CAE86A000-memory.dmp

Filesize
40KB

Download
memory/2700-429-0x0000022CAC990000-0x0000022CACA36000-memory.dmp

Filesize
664KB

Download
memory/2700-431-0x0000022C94100000-0x0000022C9410A000-memory.dmp

Filesize
40KB

Download
memory/2700-495-0x0000022CB2650000-0x0000022CB2658000-memory.dmp

Filesize
32KB

Download
memory/2700-497-0x0000022CB26C0000-0x0000022CB26D2000-memory.dmp

Filesize
72KB

Download
memory/2700-477-0x0000022CAE8C0000-0x0000022CAFF24000-memory.dmp

Filesize
22.4MB

Download
memory/2700-498-0x0000022CB2750000-0x0000022CB2772000-memory.dmp

Filesize
136KB

Download
memory/2700-473-0x0000022CACB20000-0x0000022CACB2C000-memory.dmp

Filesize
48KB

Download
memory/2700-471-0x0000022CACAE0000-0x0000022CACAF2000-memory.dmp

Filesize
72KB

Download
memory/2700-628-0x0000022CAD490000-0x0000022CAD498000-memory.dmp

Filesize
32KB

Download
memory/2700-627-0x0000022CAD480000-0x0000022CAD488000-memory.dmp

Filesize
32KB

Download
memory/2700-625-0x0000022CAD4B0000-0x0000022CAD4F8000-memory.dmp

Filesize
288KB

Download
memory/2700-626-0x0000022CAD460000-0x0000022CAD46A000-memory.dmp

Filesize
40KB

Download
memory/2700-623-0x0000022CAD450000-0x0000022CAD45C000-memory.dmp

Filesize
48KB

Download
memory/4844-21-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-26-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-242-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-13-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-420-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-6-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4844-441-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download