wannacry | 7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f

Resubmissions

15-11-2024 20:12

241115-yy98kszqa1 4

15-11-2024 20:08

241115-yw1alavlfl 10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemod Pro by mr.motchy/VoicemodSetup.exe
Size

22.2MB
MD5

2c74a59f3a312c9003e3bdf2f458c87f
SHA1

97b1ede9c186ea36a74bceb1bf5e5689aad99086
SHA256

afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d
SHA512

b5e8810733694aa773c4c3b8a4063e5fddd962b64d2ad697223ddeb7337f09e8c21fc1efdb2c13c854f2e6884940fac217338e0839fd21d2b4db3c2da031a392
SSDEEP

393216:D2MvvQScyvXuaXVTwkBgoEMNBrDXLuzLYzCdcv8p5UPxaMQlBf4PrE:SMvVcysoEcLuzLig5p5UPxtyAP4

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops file in Drivers directory 10 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\system32\drivers\SETB17.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File created	C:\Windows\system32\drivers\SETC9D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SETB17.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SETC9D.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\vmdrv.sys	DrvInst.exe

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD55B4.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD55CB.tmp	WannaCry.EXE

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2928 icacls.exe
5356 icacls.exe

pid	process
2928	icacls.exe
5356	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VoicemodSetup.tmpreg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\""	VoicemodSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxknciwttsoogz987 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Downloads MZ/PE file
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

122 camo.githubusercontent.com
140 raw.githubusercontent.com
141 raw.githubusercontent.com
121 camo.githubusercontent.com

flow	ioc
122	camo.githubusercontent.com
140	raw.githubusercontent.com
141	raw.githubusercontent.com
121	camo.githubusercontent.com

Drops file in System32 directory 17 IoCs

Processes:

DrvInst.exedevcon.exedevcon.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET859.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET85A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET848.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET859.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET848.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET85A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.sys	DrvInst.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]WannaCry.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

VoicemodSetup.tmpcmd.exe

description	ioc	process
File created	C:\Program Files\Voicemod Desktop\unins000.dat	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-OJCHA.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-85JK1.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-RTRJI.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\unins000.dat	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\NAudio.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-TKNHH.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-JPU75.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\44100\is-1HQUK.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\pt\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-N1JNR.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-A0KL8.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-2GT01.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-1MQ0T.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\de\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-PN2K5.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-66T7R.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\is-9DUP5.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\de\is-DR5RG.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\uninstalldriver.log	cmd.exe
File opened for modification	C:\Program Files\Voicemod Desktop\lib\WpfAnimatedGif.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\fr\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-6Q181.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-LP7TB.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-1HGP6.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\es\is-NMCJH.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\pt\is-1SJNR.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-4BKBK.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-8NGH1.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-7EM6K.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\AutoUpdater.NET.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-EGR5F.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-RTML3.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-0E9QR.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\es\VoicemodDesktop.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ru\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\driver\is-KN36C.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-6IQCO.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-M67TM.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-F9T2F.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ko\is-HSLPH.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-VOAHE.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-EBR74.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\ru\is-KIFQ0.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-UQ37V.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\pt\is-FGTO9.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\zh\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\ko\SimpleConverter.resources.dll	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\pt\SimpleConverter.resources.dll	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\lib\is-JBBHD.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\zh\is-PBNMS.tmp	VoicemodSetup.tmp
File created	C:\Program Files\Voicemod Desktop\fr\is-B9DQ9.tmp	VoicemodSetup.tmp
File opened for modification	C:\Program Files\Voicemod Desktop\driver\DriverPackageUninstall.exe	VoicemodSetup.tmp

Drops file in Windows directory 12 IoCs

Processes:

devcon.exesvchost.exeDrvInst.exeDrvInst.exedevcon.exedevcon.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\INF\oem0.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	devcon.exe
File created	C:\Windows\INF\oem2.PNF	devcon.exe
File created	C:\Windows\INF\c_media.PNF	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 21 IoCs

Processes:

VoicemodSetup.tmpvc_redist.x64.exevc_redist.x64.exevc_redist.x86.exevc_redist.x86.exeSaveDefaultDevices.exedevcon.exedevcon.exedevcon.exeVoicemodDesktop.exeVoicemodDesktop.exeVoicemodDesktop.exeWannaCry.EXEWannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]

pid	process
5116	VoicemodSetup.tmp
2352	vc_redist.x64.exe
2528	vc_redist.x64.exe
3272	vc_redist.x86.exe
5100	vc_redist.x86.exe
3712	SaveDefaultDevices.exe
2104	devcon.exe
1592	devcon.exe
1920	devcon.exe
2540	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
5808	WannaCry.EXE
5996	WannaCry.EXE
5612	taskdl.exe
4600	@[email protected]
5488	@[email protected]
1228	taskhsvc.exe
5280	taskdl.exe
3972	taskse.exe
4196	@[email protected]

Loads dropped DLL 24 IoCs

Processes:

VoicemodSetup.tmpvc_redist.x64.exevc_redist.x86.exeVoicemodDesktop.exeVoicemodDesktop.exetaskhsvc.exe

pid	process
5116	VoicemodSetup.tmp
2528	vc_redist.x64.exe
5100	vc_redist.x86.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vc_redist.x64.execmd.exevc_redist.x64.execmd.exe@[email protected]taskdl.exeVoicemodSetup.execscript.exevc_redist.x86.exeWannaCry.EXEicacls.exeattrib.exetaskhsvc.execmd.exeattrib.execmd.exeVoicemodSetup.tmpvc_redist.x86.exetaskdl.exe@[email protected]taskse.exe@[email protected]WannaCry.EXEicacls.exeattrib.exereg.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

devcon.exeDrvInst.exesvchost.exeDrvInst.exedevcon.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4464 reg.exe

pid	process
4464	reg.exe

NTFS ADS 4 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 454771.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 528376.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 569269.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 554491.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

VoicemodSetup.tmpVoicemodDesktop.exeVoicemodDesktop.exeVoicemodDesktop.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exe

pid	process
5116	VoicemodSetup.tmp
5116	VoicemodSetup.tmp
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1188	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
5028	msedge.exe
5028	msedge.exe
2268	msedge.exe
2268	msedge.exe
1768	identity_helper.exe
1768	identity_helper.exe
5696	msedge.exe
5696	msedge.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe
1228	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exedevcon.exeDrvInst.exedevcon.exeDrvInst.exeVoicemodDesktop.exeVoicemodDesktop.exeAUDIODG.EXEVoicemodDesktop.exetaskse.exeWMIC.exe

description	pid	process
Token: SeAuditPrivilege	3260	svchost.exe
Token: SeSecurityPrivilege	3260	svchost.exe
Token: SeLoadDriverPrivilege	1592	devcon.exe
Token: SeRestorePrivilege	2080	DrvInst.exe
Token: SeBackupPrivilege	2080	DrvInst.exe
Token: SeRestorePrivilege	2080	DrvInst.exe
Token: SeBackupPrivilege	2080	DrvInst.exe
Token: SeRestorePrivilege	2080	DrvInst.exe
Token: SeBackupPrivilege	2080	DrvInst.exe
Token: SeLoadDriverPrivilege	2080	DrvInst.exe
Token: SeLoadDriverPrivilege	2080	DrvInst.exe
Token: SeLoadDriverPrivilege	2080	DrvInst.exe
Token: SeLoadDriverPrivilege	1920	devcon.exe
Token: SeRestorePrivilege	4432	DrvInst.exe
Token: SeBackupPrivilege	4432	DrvInst.exe
Token: SeRestorePrivilege	4432	DrvInst.exe
Token: SeBackupPrivilege	4432	DrvInst.exe
Token: SeRestorePrivilege	4432	DrvInst.exe
Token: SeBackupPrivilege	4432	DrvInst.exe
Token: SeLoadDriverPrivilege	4432	DrvInst.exe
Token: SeLoadDriverPrivilege	4432	DrvInst.exe
Token: SeLoadDriverPrivilege	4432	DrvInst.exe
Token: SeLoadDriverPrivilege	4432	DrvInst.exe
Token: SeDebugPrivilege	2540	VoicemodDesktop.exe
Token: SeDebugPrivilege	1188	VoicemodDesktop.exe
Token: 33	3416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3416	AUDIODG.EXE
Token: 33	2540	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	2540	VoicemodDesktop.exe
Token: SeDebugPrivilege	1328	VoicemodDesktop.exe
Token: 33	1328	VoicemodDesktop.exe
Token: SeIncBasePriorityPrivilege	1328	VoicemodDesktop.exe
Token: SeTcbPrivilege	3972	taskse.exe
Token: SeTcbPrivilege	3972	taskse.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

VoicemodSetup.tmpVoicemodDesktop.exeVoicemodDesktop.exemsedge.exe

pid	process
5116	VoicemodSetup.tmp
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

VoicemodDesktop.exeVoicemodDesktop.exemsedge.exe

pid	process
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

VoicemodDesktop.exeVoicemodDesktop.exe@[email protected]@[email protected]@[email protected]

pid	process
2540	VoicemodDesktop.exe
2540	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
1328	VoicemodDesktop.exe
4600	@[email protected]
4600	@[email protected]
5488	@[email protected]
5488	@[email protected]
4196	@[email protected]
4196	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VoicemodSetup.exeVoicemodSetup.tmpvc_redist.x64.exevc_redist.x86.execmd.execmd.exesvchost.exeVoicemodDesktop.exe

description	pid	process	target process
PID 4340 wrote to memory of 5116	4340	VoicemodSetup.exe	VoicemodSetup.tmp
PID 4340 wrote to memory of 5116	4340	VoicemodSetup.exe	VoicemodSetup.tmp
PID 4340 wrote to memory of 5116	4340	VoicemodSetup.exe	VoicemodSetup.tmp
PID 5116 wrote to memory of 2352	5116	VoicemodSetup.tmp	vc_redist.x64.exe
PID 5116 wrote to memory of 2352	5116	VoicemodSetup.tmp	vc_redist.x64.exe
PID 5116 wrote to memory of 2352	5116	VoicemodSetup.tmp	vc_redist.x64.exe
PID 2352 wrote to memory of 2528	2352	vc_redist.x64.exe	vc_redist.x64.exe
PID 2352 wrote to memory of 2528	2352	vc_redist.x64.exe	vc_redist.x64.exe
PID 2352 wrote to memory of 2528	2352	vc_redist.x64.exe	vc_redist.x64.exe
PID 5116 wrote to memory of 3272	5116	VoicemodSetup.tmp	vc_redist.x86.exe
PID 5116 wrote to memory of 3272	5116	VoicemodSetup.tmp	vc_redist.x86.exe
PID 5116 wrote to memory of 3272	5116	VoicemodSetup.tmp	vc_redist.x86.exe
PID 3272 wrote to memory of 5100	3272	vc_redist.x86.exe	vc_redist.x86.exe
PID 3272 wrote to memory of 5100	3272	vc_redist.x86.exe	vc_redist.x86.exe
PID 3272 wrote to memory of 5100	3272	vc_redist.x86.exe	vc_redist.x86.exe
PID 5116 wrote to memory of 3712	5116	VoicemodSetup.tmp	SaveDefaultDevices.exe
PID 5116 wrote to memory of 3712	5116	VoicemodSetup.tmp	SaveDefaultDevices.exe
PID 5116 wrote to memory of 4488	5116	VoicemodSetup.tmp	cmd.exe
PID 5116 wrote to memory of 4488	5116	VoicemodSetup.tmp	cmd.exe
PID 4488 wrote to memory of 2296	4488	cmd.exe	cmd.exe
PID 4488 wrote to memory of 2296	4488	cmd.exe	cmd.exe
PID 2296 wrote to memory of 2104	2296	cmd.exe	devcon.exe
PID 2296 wrote to memory of 2104	2296	cmd.exe	devcon.exe
PID 4488 wrote to memory of 1592	4488	cmd.exe	devcon.exe
PID 4488 wrote to memory of 1592	4488	cmd.exe	devcon.exe
PID 3260 wrote to memory of 976	3260	svchost.exe	DrvInst.exe
PID 3260 wrote to memory of 976	3260	svchost.exe	DrvInst.exe
PID 3260 wrote to memory of 2080	3260	svchost.exe	DrvInst.exe
PID 3260 wrote to memory of 2080	3260	svchost.exe	DrvInst.exe
PID 4488 wrote to memory of 1920	4488	cmd.exe	devcon.exe
PID 4488 wrote to memory of 1920	4488	cmd.exe	devcon.exe
PID 3260 wrote to memory of 4432	3260	svchost.exe	DrvInst.exe
PID 3260 wrote to memory of 4432	3260	svchost.exe	DrvInst.exe
PID 5116 wrote to memory of 2540	5116	VoicemodSetup.tmp	VoicemodDesktop.exe
PID 5116 wrote to memory of 2540	5116	VoicemodSetup.tmp	VoicemodDesktop.exe
PID 2540 wrote to memory of 4208	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4208	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1172	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1172	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4620	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4620	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4812	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4812	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1112	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1112	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 2868	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 2868	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4824	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4824	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1408	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1408	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4964	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4964	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 2392	2540	VoicemodDesktop.exe	Conhost.exe
PID 2540 wrote to memory of 2392	2540	VoicemodDesktop.exe	Conhost.exe
PID 2540 wrote to memory of 4692	2540	VoicemodDesktop.exe	Conhost.exe
PID 2540 wrote to memory of 4692	2540	VoicemodDesktop.exe	Conhost.exe
PID 2540 wrote to memory of 1396	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1396	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1152	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 1152	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4576	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 4576	2540	VoicemodDesktop.exe	cmd.exe
PID 2540 wrote to memory of 940	2540	VoicemodDesktop.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

6008 attrib.exe
5272 attrib.exe
5632 attrib.exe

pid	process
6008	attrib.exe
5272	attrib.exe
5632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp" /SL5="$60214,22991991,87040,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe" -burn.filehandle.attached=688 -burn.filehandle.self=692 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2528
- - C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe
    "C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe
      "C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe" -burn.filehandle.attached=556 -burn.filehandle.self=692 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5100
- - C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
    "C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt
    3⤵
    - Executes dropped EXE
    PID:3712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "devcon.exe dp_enum"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
        
        devcon.exe dp_enum
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:2104
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon install vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Program Files\Voicemod Desktop\driver\devcon.exe
      devcon update vmdrv.inf *VMDriver
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
    "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-alien-vocoder*.wav
      4⤵
      PID:4208
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-background*.wav
      4⤵
      PID:1172
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-vocoder*.wav
      4⤵
      PID:4620
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-aphonic-vocoder*.wav
      4⤵
      PID:4812
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-beach*.wav
      4⤵
      PID:1112
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-capella*.wav
      4⤵
      PID:2868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-reggae*.wav
      4⤵
      PID:4824
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-rock*.wav
      4⤵
      PID:1408
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cave*.wav
      4⤵
      PID:4964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-chase*.wav
      4⤵
      PID:2392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-radio*.wav
      4⤵
      PID:4692
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background*.wav
      4⤵
      PID:1396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background-in*.wav
      4⤵
      PID:1152
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-background*.wav
      4⤵
      PID:4576
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-vocoder*.wav
      4⤵
      PID:940
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-background*.wav
      4⤵
      PID:2936
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-vocoder*.wav
      4⤵
      PID:5104
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-harmony-vocoder*.wav
      4⤵
      PID:4408
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-in*.wav
      4⤵
      PID:3224
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-loop*.wav
      4⤵
      PID:3700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-bee*.wav
      4⤵
      PID:3628
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-growl*.wav
      4⤵
      PID:2352
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-leopard*.wav
      4⤵
      PID:4100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-tiger*.wav
      4⤵
      PID:3528
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-magic-chords-vocoder*.wav
      4⤵
      PID:4960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-background*.wav
      4⤵
      PID:1900
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-vocoder*.wav
      4⤵
      PID:4964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-possessed-background*.wav
      4⤵
      PID:1936
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-background*.wav
      4⤵
      PID:5072
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-vocoder*.wav
      4⤵
      PID:3596
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-paris*.wav
      4⤵
      PID:3264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-ulala*.wav
      4⤵
      PID:4576
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-santa-background*.wav
      4⤵
      PID:940
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sleepyhead*.wav
      4⤵
      PID:2936
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spacemen-background*.wav
      4⤵
      PID:2088
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-ovation-background*.wav
      4⤵
      PID:752
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-protest-background*.wav
      4⤵
      PID:3376
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-background*.wav
      4⤵
      PID:3016
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-vocoder*.wav
      4⤵
      PID:1976
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-action-background*.wav
      4⤵
      PID:2176
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-drama-background*.wav
      4⤵
      PID:4432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-happy-background*.wav
      4⤵
      PID:4568
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-hall*.wav
      4⤵
      PID:776
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-playtime*.wav
      4⤵
      PID:5012
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sword-background*.wav
      4⤵
      PID:2284
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-underwater*.wav
      4⤵
      PID:1044
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-1*.wav
      4⤵
      PID:1868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4692
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-2*.wav
      4⤵
      PID:4768
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-3*.wav
      4⤵
      PID:2444
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-4*.wav
      4⤵
      PID:4924
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-1*.wav
      4⤵
      PID:4948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-2*.wav
      4⤵
      PID:3872
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-3*.wav
      4⤵
      PID:4564
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-4*.wav
      4⤵
      PID:1772
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-background*.wav
      4⤵
      PID:3144
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder*.wav
      4⤵
      PID:1412
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder2*.wav
      4⤵
      PID:3184
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cooltune-vocoder*.wav
      4⤵
      PID:3700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-punk-vocoder*.wav
      4⤵
      PID:868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx01*.wav
      4⤵
      PID:3200
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx02*.wav
      4⤵
      PID:4488
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx03*.wav
      4⤵
      PID:5068
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx04*.wav
      4⤵
      PID:5116
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx05*.wav
      4⤵
      PID:4004
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx06*.wav
      4⤵
      PID:2308
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx07*.wav
      4⤵
      PID:244
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx08*.wav
      4⤵
      PID:4956
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx09*.wav
      4⤵
      PID:4556
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx10*.wav
      4⤵
      PID:4468
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx11*.wav
      4⤵
      PID:2860
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx12*.wav
      4⤵
      PID:2880
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx13*.wav
      4⤵
      PID:2240
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx14*.wav
      4⤵
      PID:1176
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx15*.wav
      4⤵
      PID:2088
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar1*.wav
      4⤵
      PID:2576
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar2*.wav
      4⤵
      PID:3648
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar3*.wav
      4⤵
      PID:4604
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar4*.wav
      4⤵
      PID:3676
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar5*.wav
      4⤵
      PID:4812
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar6*.wav
      4⤵
      PID:4108
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky1*.wav
      4⤵
      PID:776
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky2*.wav
      4⤵
      PID:5012
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky3*.wav
      4⤵
      PID:640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky4*.wav
      4⤵
      PID:228
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky5*.wav
      4⤵
      PID:3292
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-exo*.wav
      4⤵
      PID:4152
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-gameover-amb*.wav
      4⤵
      PID:4616
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-outofrange*.wav
      4⤵
      PID:1516
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder1*.wav
      4⤵
      PID:464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder2*.wav
      4⤵
      PID:2880
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder3*.wav
      4⤵
      PID:3396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part1*.wav
      4⤵
      PID:1176
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part2*.wav
      4⤵
      PID:752
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx16*.wav
      4⤵
      PID:5096
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx17*.wav
      4⤵
      PID:440
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx18*.wav
      4⤵
      PID:3700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx19*.wav
      4⤵
      PID:3308
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx20*.wav
      4⤵
      PID:4712
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-bass*.wav
      4⤵
      PID:1820
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-octava*.wav
      4⤵
      PID:2956
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-quinta*.wav
      4⤵
      PID:4960
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-tercera*.wav
      4⤵
      PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d6d9d755-21a1-004a-9992-bca29bcb94f0}\vmdrv.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\voicemod desktop\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:976
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4432

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578 0x3a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b43ab3069362483181a941af35f01f2c /t 2884 /p 2540
1⤵
PID:1112

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebf5546f8,0x7ffebf554708,0x7ffebf554718
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5808
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:6008
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5356
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 168181731701469.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5724
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5480
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5632
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4600
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6136
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5280
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Sets desktop wallpaper using registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rxknciwttsoogz987" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rxknciwttsoogz987" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4464
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5996
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5272
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cb0d49af1875490aabfc9dcdc5646821 /t 1696 /p 1328
1⤵
PID:6024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

Filesize
2.8MB

MD5
60271d3806a3def814980266fd07f32d

SHA1
b862f3c346ef7d5834c5196dd5596c39296ceb17

SHA256
d2a3683c8078509b09d97da2d190dc9c19f52d22003e31bf29e352beb611be91

SHA512
5c351025379106f857c6a67defea313ab625a419c6bf10ddc6d6e9155826e990181b2e400ced40a6182893cae706a999f3b7516549ebd17b50f0f2070efc4408

Download Submit
C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

Filesize
8KB

MD5
4bff4b706028b0c1a4493478a41b6075

SHA1
0ebaa8b02aafee8a45b282c09bc59525e81eb2ee

SHA256
71245f7de6f8cd1855194be81c191f8435fbe62b780f40fadfbce1efabb21f44

SHA512
10c1b88fea7298610a9a8a78b83319fc8b3299513879031f63292de7c90520ecf3c2009ab8eb00a9f0ee262a4f433d272150db42a7e94fb20bb63b66e06c8f49

Download Submit
C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

Filesize
149KB

MD5
ce0e059d4365c22f6f8cc1ce04ff5418

SHA1
09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8

SHA256
663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb

SHA512
c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

Download Submit
C:\Program Files\Voicemod Desktop\driver\defaultdevices.txt

Filesize
79B

MD5
0e5eb142f749641ed53bbe3ef1dbe117

SHA1
a6d2fe121719a6b7fb1643ee5943400dc76110bb

SHA256
1858a607f47d5d33bc078209c49257888a1e1d1ffd7efe7c6045c627784de0f3

SHA512
164d12352a1593abcbf373471b36a73fc7674efb6d5673a67380d17da172b8ad0f0e6f307c014d0f0c92e71c344417db089a273086068a89c220440c50bebd49

Download Submit
C:\Program Files\Voicemod Desktop\driver\devcon.exe

Filesize
103KB

MD5
8d54022fb70fd952257ca4ea17efabc6

SHA1
8f0af9538ae263ead5d310b8cf393f46b0e4689e

SHA256
4bee65c38784c64888c12dc35fc706051dcdb32b4949766e83ad260096601812

SHA512
38a020b700b463331918c055bba8cd1e4281231954d854ad9b10d1da746f495afed5b110401266edfeb31416d2b0308209da1391ac0d1401da25546b380df38f

Download Submit
C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

Filesize
110B

MD5
8a8790395e17b81e5638c805d25f1aad

SHA1
da8fa73c457715c8a9c52e93f640bc34983f6a14

SHA256
8d0ee2177712918bde4be1fdba8d87815863d864a993a3361459ce194131f6a3

SHA512
9eb26cd0bc8e0d41ba4acb34eb4e809317dc5f7e1a0f7e6671dd64f6deb7720ffbfaff76b94e24162ddd992582793bb8f94227cd7b59fccb0234d753862fec75

Download Submit
C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

Filesize
1KB

MD5
90df9e95ac9ce0911012063619c7f6db

SHA1
4d942854cfd3b5e21327a0c8a7366c570ef63a4e

SHA256
883f7763a00f6419f7acc21a1772077e16b432dd1b6d15ba092a3a3a19667bc3

SHA512
6513d48c996f845bf1635552fbda26c68c57a0cfb7dde0e92181378b9724cd69d80b5d0f2e5fea2c9dcca03f668e4da81fbbffbb2c356f301bbee6baddb525bc

Download Submit
C:\Program Files\Voicemod Desktop\driver\vmdrv.inf

Filesize
4KB

MD5
69ffb954ea5d86423e3119b1243245aa

SHA1
21b7dfed35ae606d6dd3a4084a9d2f23d5e0c0fe

SHA256
fdc1514450a4eac615d959e17e527c6d69cfe92871626b39bc38a096a439a45d

SHA512
bc6130d3e989109f246af6c5db4e1a08c6363dacbce25d7dc164c8d4a1f89682b6afb761ef1199d17eb35198b9dc60e6bbbe5c91e37739d42565a8039e5ca410

Download Submit
C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll

Filesize
247KB

MD5
352ae2bf69212f6ed9c83a490b7f3092

SHA1
796dae8aa2cbaf23edbeca952004bc5027c48981

SHA256
bf1e263bc97bdfe32d90471253d9771a132e5cc1546502ed7c8e94548f6472a6

SHA512
c01c753f9cc5aee8c0e8506d8331bd7e7be33d9635a94b9d38d4c019f72cce8ca82c4b4899873d58c150cb9c2000a010cf99a1de9f240af60f609d613b276b1b

Download Submit
C:\Program Files\Voicemod Desktop\lib\Fleck.dll

Filesize
43KB

MD5
6d146f7df192621476283af335fd4180

SHA1
23856ece8d35a46fab20d999baec69b995819ff4

SHA256
65ae6fc064fe4e079fd7a462b79694b22275307723e0127dfe5c33132d30f902

SHA512
7d414ce663f2f1ac115335ab2f9454f6001fa175c71d49c6d09e0c3f3f1003809e56f7fba88a8d04b9e34a8032c3e4d2e467b30d12f7483ec60fee350a2fcef1

Download Submit
C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll

Filesize
42KB

MD5
d67fe5af6345272b8b24e1d4b08732d5

SHA1
863f1b88aa8f8dcfc4e13339951cf12c52a1cbcd

SHA256
8a3871479b26a5da72788eacb4543b32cadc0aacffb82bb7351040d4e4a915ca

SHA512
e670e53a983e3c209a2cf3a9178cfcaba2a125530241f5b86c4d9052598d382c2a69824b2254c269ee716800b43fe3e920020d5cfc1c428f32d79372b0979892

Download Submit
C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll

Filesize
43KB

MD5
366cd5572e467b3b06515cfb4ab036ad

SHA1
156f75191d06905003a7ab811880556af8dad44a

SHA256
f84935be717e1c49a54c1d7f8476243a4d34c0ea90c4ad13afe3f50164ba5f2e

SHA512
96c4d4c8c05478dc124cbaaa3d36b304697edb1d0e7ae197c786f04e76df516cbf093d4aeae8cfeb9182f22c3758e93e242d43e8510935be473c1c0637a03e21

Download Submit
C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll

Filesize
638KB

MD5
f33cbe589b769956284868104686cc2d

SHA1
2fb0be100de03680fc4309c9fa5a29e69397a980

SHA256
973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278

SHA512
ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

Download Submit
C:\Program Files\Voicemod Desktop\lib\RawInputProcessor.dll

Filesize
21KB

MD5
33f6ad87b6d8128b831be2884cb4ab2e

SHA1
e4277426445197a7ae4463b7732ccb282fcecf42

SHA256
ee069a485d30cebc1c56f25d2c1b418c13bf685065f1a3c2976bbec42f5b53b9

SHA512
f7104bc09bc4ce4f773fc2637a0952adef836715a6298545a7124364aaa94124e2cea699672113805911b942758128255394361baa42997f02769b7df454c2e1

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.RawInput.dll

Filesize
24KB

MD5
c424d62f5045d6e2800c7fdef5f1697d

SHA1
434e533928d6da0da41201d6e4b0baa97ac93b91

SHA256
727e4f5e311b1f582bc89ae9e2c3cd585b7952c433b6e7656521bac05811f651

SHA512
0e5a564d9de35eb3747350c4ff7e456cd8b544f89641c7bc7df03008c30ff0eae53b3d5c5744fc736fe9aab27d638455ad221499a2b13f2084cfb602f13fc114

Download Submit
C:\Program Files\Voicemod Desktop\lib\SharpDX.dll

Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Program Files\Voicemod Desktop\lib\SimpleConverter.dll

Filesize
10KB

MD5
f39f4d5a10201198b0789e10a915baa6

SHA1
f81e7ffe073217a48adf0d794261aa69ee943ec4

SHA256
f6d536162aed7f088b7d7d4bd18f33373f912cf6c3c2699cd7703ea2eef05cbe

SHA512
c337808b1f8436453f9b46057eb66b206e54d4810a11be11d125b1b92c31ab16d1faa4221d58c5e3813ecc3d7afe28d00a5fb9118d89b9d32558608d4e71d56c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll

Filesize
22KB

MD5
68cb781b645a287646e211ff3133fbe4

SHA1
20f79d9aff52da78a2cd946a1c4c6f5b2cd062d3

SHA256
f99f25bdfa5ea1a40fc219738ea3e56657a2119bd9d07c3961a168a72ab37f9e

SHA512
69b3e636f53e684fb2d1a1a183a8d3131c33d357269f4a009f8f0690c9662dee62b63be1bb79c0aecdc16f3320e616700971a1af5749a1d3af5dde6bf1335269

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll

Filesize
14KB

MD5
67f3a5fd99bc104a01a906df6f5896e3

SHA1
39527769e186278029a6d4303cb3015ac90d5c01

SHA256
8f2c68dd604321d09343b5566b74d72527e78ad717fc41e91d48ce931a8eedb0

SHA512
e46dc143ca5a73ba2215bf7cc5e9c530ea163db55418291bf2f2a8f83ec2084b025e0269f398d92c14f8fc5b182e08ab2868f288c559454c8ab5c517cf393995

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll

Filesize
22.4MB

MD5
a88987bb53e80e790611ead096add25b

SHA1
e4c7965384d4c467f228dcd83eb16754c47377cf

SHA256
0286fcd7d25ae394323ce46b23d800f966e4da4d8441d51d6d74f3943cd69b0f

SHA512
d21069e03636036b8484ec9e37cf5d56468b80b281923ca79607d56cfe7f2befaf1981850702958e07a28d95029bd2f42a1d5bb09c83e5da541dec58ec9c752c

Download Submit
C:\Program Files\Voicemod Desktop\lib\VoicemodShockets.dll

Filesize
12KB

MD5
80e49cafaed9e42fed7380ef96f22922

SHA1
f6cb4095d3fbeb4f06f829ab13fe979c64728c7c

SHA256
3c560d555221dc58b10de2edbedab07541b9673e686279c883ee955646096f2c

SHA512
16f02c89b425aa8412d92945ddd1a8a87b78ffabb033a125ee9df5a51430fa2806579c710c7f9832a172a20919dffd33e98eecca512a98b3271053567a17d09c

Download Submit
C:\ProgramData\Voicemod\Temp\sdk-custom-fx01_44100.wav

Filesize
524KB

MD5
2516ae38a1111603415a6e333b774f38

SHA1
5c1803b3e5542a23db25f5fc55afa66ac0cae8dc

SHA256
4312292ed70789b7bbc6363df24ef91f98f19ad47d7458af2468031da23f0a24

SHA512
aa83d86e15fb5eb9ca627f9d35919ad126f2fd0eb107e0de9f1c5bbc9f126405e489549d11b13003ee1ff3c72604f1b7684a8562c4c5efe104d118e938f46d49

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-custom-fx01.dat

Filesize
136KB

MD5
9e00c46f54c86ca14352960177e37b7c

SHA1
b41333fb5f8572d989136fdfc95791a7b5d9d563

SHA256
053c5a457729cf059c6bf023fc693246635b147040066e0953f5b5e119e68037

SHA512
1a2afa13b114e64b24d8823ed2df6d6b2a3829c49f90b09145d2ecc7b92423200e1f61c7dd657c567b3045902ee0e6c252f4d7d5567cdae9d637ee9b53ad8375

Download Submit
C:\ProgramData\Voicemod\VoiceData\sdk-walkie-terror-1.dat

Filesize
13KB

MD5
0ac77f83d2d00526db401718f13519c2

SHA1
6e1755c5ff69ca23ffd2af543b65fc299bc6a3ca

SHA256
254cca4fe05e8cb0b4d8ddd977258f1e780bb12f6d473e407e8445d1022649a8

SHA512
9336d5dd34e35b5199cc1fbe5cd98ad2d2f2d6fb9926907e8a78121fb58e9c17b320630e0f673bb70b2d1487b84654176ffb12cccb3cf1e7fa5317ce3d1ec64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
ed42c18ebb810104dbaa32aa6dbe2699

SHA1
dbcf8a5be41ee95b92c60fbd21150d466752d290

SHA256
7aa195d21d995703f7e2751e4d2843e7d7132e81ccc0a18b87e6c4ae8d2b23fe

SHA512
1f1d1220f71556aa997304e4abac5ed6b49bcf2ffe68e1e0c804dcab56ed328df3c6d19315c09f427d167d73bf0e150a3714baf820f6086696efe51ef4ef5bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
471B

MD5
6c7fa8ff380ee4af50f9c368c2be860c

SHA1
6529814f468ce2e99c83988940c46493528293a6

SHA256
6f694a5d9a0d98f0d82b088579dbd0538129c8f17421dd91016e35f7122d68fc

SHA512
8732e18c908150146dfb79220becf4cdaa1ef52c2fd87f7e68da930dba96d0d5e69e94d98126fbe2290bbc220c6898975cb4e8d54caeb590896802e54afbfccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
96c389b11886402799c9144556714bff

SHA1
afb87ecf7edcde707cc81f7739139109eca30c49

SHA256
7e60b4c399c0392803474926bcf8ff45fd59354e4d71d4c3b147ff0ed56e3c1e

SHA512
857f80998e5f222a70e0e575a9b2a311c80e87662dafe47e891a307bd2a045c6a1d23db231c92df941ab5336fa5978d5531305239de0415dadb3d0c0a2a828c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

Filesize
408B

MD5
cf02f958e2229b76a9564d08fab60b56

SHA1
f427bede77d0a3ae90caadb61e2858b29c64f873

SHA256
6fa95b73a0598b49c11d220fd8528860b5871ee08bfe5b109cc376ca531bf009

SHA512
ce73cc169c20a16f698bf5e2263450caed5adf9e2a0a9fd508fefa33a6afcb3f1549586337ed3851991a1cb2ac3202079cb1e4256c0c522485e49c672674bfec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VoicemodDesktop.exe.log

Filesize
1KB

MD5
67022ef4d501993f13a7c907910d2ea2

SHA1
2ae70f9fae494c52f415d442f4fbbbb01280f016

SHA256
d3042c73e34b33a183064b62348c0ed2931768ec0576bf51f3327f9dba085869

SHA512
a4f254356c5e3bef5e8156cf9dbb2c4dbcfbbfe44e73063948671aaa4955966b59e0bd9157612fad18023ce221be926ad58d289b28469f5b3db02b04e6fe7caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0ef26930e239597d5ac9634844c5adce

SHA1
1db656684a49bb9046b12f5c64dc08ebaaf1eb12

SHA256
56fe09e53fd2c891cb18b855c5dab57d8366e931dccb267f7905bf9b25bf099f

SHA512
447831b3fcce0f1df45b15214d16e27fc591118565c826e857baa644a775030f217cc0b58181a6f91d29aa11c9b80e5e11ef758f089c5ab1035391677ed9b8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52bee9eff8fbe1eb74788beb0cddc560

SHA1
5bdd0af476a53162f39c022ad72243f7e669d4e5

SHA256
0ad99aab4141bc170b845433a4efd06b21e6b13962ca08cd59686ad1be7feab2

SHA512
0118089ce0100234b2c8e8f36cbfd99fcb7009bc5f43a59b2b7de539327837eebaa9b2a508c0486f190bd343ef76ee5208d48ff7d7f8b6285087e0492a3f31f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
784ff0d3f1e29acba3253e6572055fa9

SHA1
dc887c4921ace72760b97d30de82f2a830baf890

SHA256
a8919ce9ed5344666235bae09ea54634f4b59f46186c6299c57d4714000dec57

SHA512
32ee74264ecb81d1213b994dd38c5a0fd299afc6dffbd536eba1f6662279a9884debe61e855312c90c2b84b91da28fd20a757cc362d4e207400af4d9a697778d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6806d9af06347331b82a44912390a358

SHA1
e4207527ef524712283277f72bf230cafabf75fd

SHA256
e32a338f5844d4c96c45c1a463035c4247357b4d3eabc5c858b31f3ab04885aa

SHA512
045ecaeb1f77f9ef5b6f9b46c64378a5d7a82b4d92eaca5b29f43290e16097594a723486b2bd4710e2cdd1e02fbab0e62cdcf2cd8a900acbf2d62bea33544442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc9b6c7774353873004260c3fc120017

SHA1
b2b597332ba80445aa637e38a14d8f37595783e8

SHA256
f2fb4f3dd6ca3ef0e3cac363df866a2437127e970cb91f3424855cba48304b80

SHA512
7b102c303864011b381d54bc57b25dc8bb8221ea566c4a9d0df1ecb19953167f6aa2e6e9a5b5df897d245cd304e357d508736870289f3f3eb1773b966d0bced4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21f6f1ec0bc29b8ac7cbd15f56f7bbdb

SHA1
3ba3792532a51f2c3ffeaab086f13e902184f235

SHA256
1b0af2cc52163c7b14d70c885457266edc8081db53b5b6ed8b70bda6203450f2

SHA512
b98f9405550d16045f3d711d946b51adab29df48c7b078a7b1568b9f36cc8f0c01963d26bd34bd73ec42ccc200326320e07fcf6447fa87200c7369dd7695923f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
915f1394ad9606882703daa2fdbac9cb

SHA1
ba181d61f5b8ec63957b10c3a57ee5d4c2dfc3a9

SHA256
0eee6d9171a5d7b409087563764847e529421cfd66051b0561143d8cb6407fac

SHA512
e473404cb282ba8100a21d1be49126bcd07bcf4e47e4d43bddd47fd94f4cb99fa84a8d6ca08bf5561804339cad92de79164573de57616fc48333065afd8c5b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
195a87e854474c7fab9676262bd4b2dc

SHA1
40d5b0fac03cc03ad1325dcc3b446c0969e2aad6

SHA256
e684139666b3e5c41e573b5d4defc92b3a566e9173d3149585546fbbb1ee296d

SHA512
8b58cffc4e95fa5ea52dbaac39c31e5601e73a4f7d40d6012d85bb538a3434eb5477f4244f571b5340e3580f0c33d66923435c0c1e187d4301dfc1cfac2e2a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593d1f.TMP

Filesize
1KB

MD5
0af36ee83be8281ef0c9809892d7fda5

SHA1
19081f5998209d77ac77f05c8f1925be873fc8ad

SHA256
8de33f20cfb6c6beb7162ea5d92da9a0d277f8506442bbf1ff7d183b94404db5

SHA512
a62505fe29d83c4904e8a554df50a8bbd8365d5e88c42b5dca8fbf8a6d9dae040e6c6e7b7e4bbf6df8bf41b6ec76876a8cb39e062eef2a92bd3928f200999fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d31563a1f7260e5c1d90945d4ff1c8a2

SHA1
cd1eac9010982c9eec97c31765f4e52bf5ea2f0d

SHA256
e1ec4dbb6f521639a502424a9e09b3447f2c3892c74cb08259211097a114b792

SHA512
e5b89a840f288045846c05b1fd3b2191fe4a30424cb897eb249926999c4cbbc1f550684e9e55d365f5ab3eaf04f8fd841b7a87ddc59d47f66adf71f094e1851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4bcedce2a166ab0edc3d88569ffbde2

SHA1
3bda6be3d0da8e1c680042f59ad95d5768c61947

SHA256
5588ed4c4b74dcfcae97e35a1fc5c6d8b6e7c05ac96b52077a76be73d016b4c2

SHA512
23d13c6aabbca735dae38a5954a85d1a1ba8d111c34af239f190c0c940d72a75fd2c17bef797ff140eca39d5f6904388e8ae6456e1dbc230e2a98ca4d1e31e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoicemodSDKDotNET.Amd64.1.3.0.7\VoicemodSDK.dll

Filesize
22.3MB

MD5
6b0543fb8961eeb922ca06caae8352f3

SHA1
8b266885db9a88f2f89078eee5d2b2bd0f5a0918

SHA256
e3dea719f31d200f4e9719d5a8e7e34ff385652bec82c2ee7fbbc48ac888fa1b

SHA512
9cb787d924d61cee4708941d52345e68998aaf230403bef0a1c73e5755f11a6fa19be917d9038617f485d3bc8ef46b90fab0bf3a0e1bb2f292dedba9c6463087

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe

Filesize
14.6MB

MD5
0b565f10d13fe55c05ff80149387a50b

SHA1
747540e8001fa6f5b3a44af2a87d5c30b4183016

SHA256
7cf24eba2bd67ea6229b7dd131e06f4e92ebefc06e36fe401cdd227d7ed78264

SHA512
cbcb8ebd45aea4e73f283bd6d3ba8367b118b786e12cb5298809288e3640fae84b0ccf0c23d80bb557385b7206d8ef3452b4ca7e82215a14e7169418d5690b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
f028144fa94ab6c59187e0eb235f01ca

SHA1
d6e1f8c8fff153a59a11fab9777ddab60d9d023c

SHA256
251640e8039d34290133b2c6e3e6fe098e61e2756d5a4c45fdcec9e4dee6c187

SHA512
a65506f77f1d497eb26ca3da8565977f46f715b7e1d18e2b5a36978d7989c07e2be8c9f6a2a34feca3808ed51e329f375ca2746d836e50191e7e6d144aa0f819

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp

Filesize
737KB

MD5
1a9f24ba757fd08f3b4db5570cd1bfd0

SHA1
6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d

SHA256
326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956

SHA512
bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{d6d9d755-21a1-004a-9992-bca29bcb94f0}\vmdrv.sys

Filesize
44KB

MD5
31acfc46ce310b4fa7750c3db047154e

SHA1
d99d6f7d2bad8dcac0516170f9b1c29946eef4f3

SHA256
1f6cbdc32658ffcf48f6a037302f96c515febe16b459eeddd9c5624d5be91182

SHA512
9f1edb81bd70d216afe265ccf8b0ebe3a62f2bb31204339402e250b7e844ae9ed7aba84754d21ddf2f5854e406cb36fac346501d321113c784d54dffb170807a

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\40g0ttds.newcfg

Filesize
2KB

MD5
58a3bcb724b64ea59a6d95ecb9569084

SHA1
f05574c0b985c86065a05cc94a56bf2301ba34d1

SHA256
97098f529186e38bd24ef8f18ea3cd01fa8967edc5f3bbda2a522c89579a60df

SHA512
2a288d372ca15e07ac344b46135c0d8f0c70f711925b82502da3d023c83405d4c5937c9bf46cc99ab047376b929ee6c45241bbd45413ebd8525d0f22e9e14fd7

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\5g2i0h32.newcfg

Filesize
2KB

MD5
57712607b32564b41c554175495e3eea

SHA1
b91e8ce98b361d9cf700da5a2dfe80a7d9e2b784

SHA256
06f8d25369e69372b807699ab9d8516bfc1908e1321402606a83f65fe0c7d740

SHA512
631ebd8a1f982f23a4521555b2f92a0f0a6f4436f9c0bfdfa12da74edef010a0b2b21dc80dfed7e63978c86889455e1d09a5564e9a740a5cffb92d584f83419a

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\dywe1xzu.newcfg

Filesize
2KB

MD5
1befef1025009c7b94cb71570f07b8d2

SHA1
eae4e237b70e2d4b312505d7c278ab41c6a82661

SHA256
d967dcbb53e4e68b59d5a79bcbb9361c43659c300b100ef427dfca257ac2e3a4

SHA512
9fa6f76d8e7c3da96efcea3a2cb79a3bb3da92e3ce0ae4b974bc3268d6176d82489cee23051d28990c1c1f5715229fd2ff645984989995601a58d8ed723318d5

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\ik1v252h.newcfg

Filesize
1KB

MD5
44e0a901780a5bc1d3b59fd359755b49

SHA1
6cf0d74cec57474b9023ccd0e9f290f49ceb08fc

SHA256
caa07c4a8c395559e7596d9c68fb78f7842949728383f119a18951c8e0555e85

SHA512
69de83e29a2499bbac50590eb008155c9806f7e8b7a38ed56a443c93cc4a8a89d4b74f09ded28392e88acc2fef6fd5661628d527126c119ecf6e920bdd2f3dd2

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\nu5lgecb.newcfg

Filesize
1001B

MD5
4c38c4d2f2d825653c0d94f18dee479d

SHA1
c8076b64a41526abe718f4d23352e265abc1a9fd

SHA256
ba18f2cd22a815d0944ef5c912dfddf24cd5ae025a4e64928d658a6711f31129

SHA512
7a99d8545254a6fbdd44e82e11da7ba95f5038d42663bfe37f57d69b00cd7b659828846ba8cae7f60a2951e276e28ac0cafad1234c027e02a553772d07c2cae1

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\qe0q505b.newcfg

Filesize
2KB

MD5
c1901bd0ce588c6243e6f8adbd5f873f

SHA1
f35a590e5e5cb0dd5e98a701c0cddb8ac0935e30

SHA256
c38d112e15b18e25cdaf1bb09ea05252c2cbeae7c524ee4048cd468c16636e91

SHA512
4638615bff1c1a9c0d1ea8c36ef96661c7d3d1d3605566f7653942b27b103367e598ddfd9bf8a9f3bb8bae972e1d15d0eb9e48affbdefb31939621c9608fd4c8

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
66e5080f3b3c877a29eaf413acb4f14e

SHA1
d59c360b527a02b170e7b562e6bb8a1c28be8dbc

SHA256
088713cbed1d12418e68501dc19c0064298c2d15c16b083ba67df9f846da661d

SHA512
b4171a5dadf2a52b62bda206fb833162d148f38817d5efde09ba6e1a57a0b4ee7fd8c11a481fb65df941869fc1841928588d5777276e78dee3ab79bee25a1224

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
2KB

MD5
cce69b78b5e3774cb43e1060921c49fb

SHA1
69d2b7a02d54809a0a44705d6f6431fb78df292f

SHA256
bcb5db386701ce57821357e2471440a8dadfaddb2a7e017b072f8a79c1925cfd

SHA512
a88c902ff01091717461dddab9189f2eaa14a5b793ffc5432d593c081ccd1d5216dd277d043cd88527d7d3336f1c243b7f591e7ab6ed680081d08e1c28f07bb5

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
2KB

MD5
9b8d2d6ecd864302cbeeaf5df4bdbac1

SHA1
a1032075a5a8cbaed24036b793910b2d9291f277

SHA256
a5acc184b57a38f27e93db619b745f2507239e65d9eefcf5a393e64b544bdd57

SHA512
8f30c8091ae1661b2a24c4bcdef4e782e6035162b8cf0f183856fe89ceb3e2e5115f33ad7ebd3e65adec25b7d34997638d82db009ed51b31eda0088edad3f887

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
580B

MD5
850b92922b6a569b4da027c1caf7a7cd

SHA1
852e09d5b0ccd4e11e0d8b2c1c084eae560aca07

SHA256
1551dd11ef2a6dd31557ece197d2db5d1a54ba79a71436824f3d6c0a976eda33

SHA512
d23614ac73fd233760cc26ec81418ba77175c56ac20d1cc933da06f79cc367e80a1a2e617c6eef3e120180956bacc749657d4624f9629116c19a5bc9948bb449

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
332B

MD5
9fdcac422aba9a832c4e1ba63c4f5633

SHA1
9d702a9454da3907bdd2cdee1cc7a792b25c2c6e

SHA256
733e489330d34542d6f8eca88b68115b6611f7cc4c44abe8433fe190784fce2d

SHA512
d759f45448cf0e9beac03e1c3a967a2d1d80d4155aa78128c33afa62c47f616399cf3c14f087707220e17d63153d17ebc8b9a66fff64f9cadadd9771ffbba56c

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

Filesize
3KB

MD5
d583096ca8f2aadd799d90e3aaeca0dc

SHA1
0d8946ee6cf9f46b24397363d2cec6ee69e853eb

SHA256
6517419bf5bdb77cca3f6b80b723e357add1fde97acf412361f0ecaeb430ac35

SHA512
d63c44fd9d73b5f398e13e7bc21cb91fb5af81a4e27730dc3a12db549b63be12a6449b229559798138865d641690c4ff7dc7c1c9248b3afb5f8f98133fa65e79

Download Submit
C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\ztnwiygw.newcfg

Filesize
3KB

MD5
90132032ffced7de31e5a3db11a6deae

SHA1
cbed047b8cffd765a8f2d6ff433e5de31306d0c5

SHA256
85526bff802532e812546afcb5fcd2d4f30f3dcb9d5f2fe75bdb913107f250db

SHA512
d08812b78ca2b62ceeed04e6cf20e2ac186fe54f73b01c10f34f67a437aadaea24f81787032f9438a373ccb9ce76549cbc12d2e8ab7e9018e373b6f9dcc3c1b1

Download Submit
C:\Users\Admin\AppData\Roaming\@[email protected]

Filesize
585B

MD5
90788922557cf3d1b2557bbef6887b87

SHA1
0c93138539752df012184e0338dea7626a468913

SHA256
abb94809298b8b574115518cc386604f3593e3499b38ff04401a5ce45c2f855f

SHA512
d92cb237b2e427d7b867d94dd220358570fc0eb936b3fb664ec509d3a63ff33c3727d6ac319ba5071c8cd7e672c3187f4a60741b2e23262ae3df22a8995493d1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.4MB

MD5
e1a6265ad1ca7ea4090a80192b18a182

SHA1
68f845b31c3a7ea8ce8be2c589ba5856948e0aab

SHA256
1618b1c2024e8287f887ba05bf6152fbe65927ea38f56371c4dd56ed8fbcd25a

SHA512
cbd6d4bdff0ca27e2acf2d19e86e8ecf6f46cbbf108e2c2d4642a5fd57b24c31506b716ec622f73812369dfe2798e41afb922e1439ec008d1f27690a04e66813

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\1055\license.rtf

Filesize
177KB

MD5
f1a281f74d3e91d16dd26d1f313cd8a9

SHA1
ddb2ca9032c5a9c091eac53b679f6ba428077b00

SHA256
f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25

SHA512
484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625

Download Submit
C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe

Filesize
917KB

MD5
3d9d11e54c2b798c3fb51397560a28f5

SHA1
50d1ec1e655533491562162ea1b9735439297191

SHA256
8440d4640ee1eee29b31a85c1c05f6106b907a2967a2902570d53996230f9571

SHA512
175ec09520461fbb85e4d1829ca1123dbef7939807a6a837b1f04b445a52fb908b1c30ea07f6f0393486bb23a53bca5b18261c92d01e90dfe9c7f7a91d93a0b2

Download Submit
C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe

Filesize
917KB

MD5
420a42886217db61f442287c83c5a31b

SHA1
b23b670645f17a39d424bc10416f652649273c05

SHA256
8c13a649c567be84e4e3a262689f6b59dcde3e9f8b0037869710fc693b2bc0ff

SHA512
c4c3c8f0e35afad415ce13b3cebc68749befed9e1d9ebef04a595f3c51a6ef59b9aea4dcc205b1743e9f04a2258c1911979871058220b926c9fbb0acc42d22ab

Download Submit
C:\Windows\Temp\{ED9613BF-0FF6-4CD7-8E4C-D419CBBCED97}\.ba\1036\license.rtf

Filesize
136KB

MD5
1da77b492870266e67626ce000528425

SHA1
bbde5f2e5c744bf7eb4931ad0be883bd8a89cee2

SHA256
84cfc67f98d7553ab6af43e9b8d89138a9f46d0fd9291a441d7fe73f5c1a9dc6

SHA512
1efbf899fd722d5ebe2b885deb37da601c4291000761ba1825b4a76c2b51d5b69e1e03106ef0e29a108cc6b8ba8ec69ee7c7af641fabdcb1154a35d3dcb263b1

Download Submit
\??\c:\program files\voicemod desktop\driver\vmdrv.cat

Filesize
10KB

MD5
2a806a9b70eeba9507bba3f6f44aab0b

SHA1
9577336a7c441c6df360a598e89eef7a3c765ff2

SHA256
488b32ba019c0db448d0669f70bdf564d0f4bd23c7f9592d185474b0d62c763a

SHA512
197a4bd6427c8be1d5a1eca2faa98b1cfcddc7bb53210ddb20e5916b55fe5c4064639932042855db6dac371bea30ca13d9403cd4d8679ea093930694cd37980e

Download Submit
memory/1228-2836-0x0000000000F30000-0x000000000122E000-memory.dmp

Filesize
3.0MB

Download
memory/1228-2833-0x0000000073840000-0x0000000073A5C000-memory.dmp

Filesize
2.1MB

Download
memory/1228-2832-0x0000000073BC0000-0x0000000073C42000-memory.dmp

Filesize
520KB

Download
memory/1228-2875-0x0000000000F30000-0x000000000122E000-memory.dmp

Filesize
3.0MB

Download
memory/1228-2835-0x0000000073A60000-0x0000000073A82000-memory.dmp

Filesize
136KB

Download
memory/1228-2876-0x0000000073BC0000-0x0000000073C42000-memory.dmp

Filesize
520KB

Download
memory/1228-2834-0x0000000073A90000-0x0000000073B12000-memory.dmp

Filesize
520KB

Download
memory/1228-2880-0x0000000073A60000-0x0000000073A82000-memory.dmp

Filesize
136KB

Download
memory/1228-2879-0x0000000073A90000-0x0000000073B12000-memory.dmp

Filesize
520KB

Download
memory/1228-2877-0x0000000073B40000-0x0000000073BB7000-memory.dmp

Filesize
476KB

Download
memory/1228-2878-0x0000000073B20000-0x0000000073B3C000-memory.dmp

Filesize
112KB

Download
memory/1228-2881-0x0000000073840000-0x0000000073A5C000-memory.dmp

Filesize
2.1MB

Download
memory/1328-810-0x000001A22B410000-0x000001A22B6E2000-memory.dmp

Filesize
2.8MB

Download
memory/2540-421-0x0000025CFF710000-0x0000025CFF71A000-memory.dmp

Filesize
40KB

Download
memory/2540-481-0x0000025C9F660000-0x0000025C9F66A000-memory.dmp

Filesize
40KB

Download
memory/2540-771-0x0000025CFFB10000-0x0000025CFFB86000-memory.dmp

Filesize
472KB

Download
memory/2540-719-0x0000025CFFA40000-0x0000025CFFA84000-memory.dmp

Filesize
272KB

Download
memory/2540-706-0x0000025CFF990000-0x0000025CFF998000-memory.dmp

Filesize
32KB

Download
memory/2540-705-0x0000025CFF980000-0x0000025CFF988000-memory.dmp

Filesize
32KB

Download
memory/2540-704-0x0000025CFF970000-0x0000025CFF978000-memory.dmp

Filesize
32KB

Download
memory/2540-703-0x0000025CFF960000-0x0000025CFF968000-memory.dmp

Filesize
32KB

Download
memory/2540-702-0x0000025CFF950000-0x0000025CFF958000-memory.dmp

Filesize
32KB

Download
memory/2540-701-0x0000025CFF8D0000-0x0000025CFF8E0000-memory.dmp

Filesize
64KB

Download
memory/2540-618-0x0000025CFF8C0000-0x0000025CFF8C8000-memory.dmp

Filesize
32KB

Download
memory/2540-617-0x0000025CFF790000-0x0000025CFF798000-memory.dmp

Filesize
32KB

Download
memory/2540-616-0x0000025CFF780000-0x0000025CFF78A000-memory.dmp

Filesize
40KB

Download
memory/2540-613-0x0000025CFF770000-0x0000025CFF77C000-memory.dmp

Filesize
48KB

Download
memory/2540-415-0x0000025CFF0F0000-0x0000025CFF3C2000-memory.dmp

Filesize
2.8MB

Download
memory/2540-615-0x0000025CFF9A0000-0x0000025CFF9E8000-memory.dmp

Filesize
288KB

Download
memory/2540-488-0x0000025CFF920000-0x0000025CFF942000-memory.dmp

Filesize
136KB

Download
memory/2540-487-0x0000025CFF8A0000-0x0000025CFF8B2000-memory.dmp

Filesize
72KB

Download
memory/2540-485-0x0000025C9FCA0000-0x0000025C9FCA8000-memory.dmp

Filesize
32KB

Download
memory/2540-772-0x0000025CFFA10000-0x0000025CFFA2E000-memory.dmp

Filesize
120KB

Download
memory/2540-477-0x0000025CFF8E0000-0x0000025CFF920000-memory.dmp

Filesize
256KB

Download
memory/2540-476-0x0000025CFF760000-0x0000025CFF76E000-memory.dmp

Filesize
56KB

Download
memory/2540-475-0x0000025CFF7A0000-0x0000025CFF7D8000-memory.dmp

Filesize
224KB

Download
memory/2540-474-0x0000025CFF730000-0x0000025CFF738000-memory.dmp

Filesize
32KB

Download
memory/2540-467-0x0000025C9BE60000-0x0000025C9D4C4000-memory.dmp

Filesize
22.4MB

Download
memory/2540-463-0x0000025CFF720000-0x0000025CFF72C000-memory.dmp

Filesize
48KB

Download
memory/2540-461-0x0000025CFF740000-0x0000025CFF752000-memory.dmp

Filesize
72KB

Download
memory/2540-419-0x0000025CFF7F0000-0x0000025CFF896000-memory.dmp

Filesize
664KB

Download
memory/2540-417-0x0000025CFF570000-0x0000025CFF57A000-memory.dmp

Filesize
40KB

Download
memory/4340-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4340-426-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4340-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4340-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5116-425-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5116-276-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5116-23-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5116-14-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5116-13-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5116-6-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/5808-1304-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download