Malware analysis Voice.ai-Downloader.exe Malicious activity

Add for printing

File name:	Voice.ai-Downloader.exe
Full analysis:	https://app.any.run/tasks/c0b350a2-6f26-40d0-870d-68d1858c315e
Verdict:	Malicious activity
Analysis date:	January 25, 2025, 08:55:40
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	40FFAEA0C96BC8FD1AC022ECF287980B
SHA1:	C9FF64FECEE39AA1A4F1C930D6B6AD423E1B1C14
SHA256:	100DBA151EFE66C842FDE4337857FD3DB4568C1E3EE008E412927E67ED72094E
SSDEEP:	12288:NFl/zbr+CSgb1cLlmei0PPiKGjgQ5l2yLGwNtRl5Y9zMDIBEHgdwPRM3EFtSCy+B:bl/zbr+CSgb1cLlmei0PPiKGjgSl2yLL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Create files in the Startup directory
  - VoiceAI-Installer.exe (PID: 6772)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
- The process creates files with name similar to system file names
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
- Reads security settings of Internet Explorer
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 520)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 6756)
- Checks Windows Trust Settings
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
  - drvinst.exe (PID: 1688)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 520)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6756)
- Executable content was dropped or overwritten
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - vc2019.exe (PID: 6896)
  - vc2019.exe (PID: 6920)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
- There is functionality for taking screenshot (YARA)
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
- Process drops legitimate windows executable
  - VoiceAI-Installer.exe (PID: 6772)
  - vc2019.exe (PID: 6896)
- Drops a system driver (possible attempt to evade defenses)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
- Starts a Microsoft application from unusual location
  - vc2019.exe (PID: 6920)
- Searches for installed software
  - vc2019.exe (PID: 6920)
- Creates a software uninstall entry
  - VoiceAI-Installer.exe (PID: 6772)
  - Voice.ai-Downloader.exe (PID: 6180)
- Adds/modifies Windows certificates
  - VoiceAI.exe (PID: 6968)
- Creates files in the driver directory
  - drvinst.exe (PID: 1688)
- Creates or modifies Windows services
  - drvinst.exe (PID: 3984)
- Explorer used for Indirect Command Execution
  - explorer.exe (PID: 1580)
- Application launched itself
  - VoiceAI.exe (PID: 6012)
INFO
- Checks supported languages
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - vc2019.exe (PID: 6920)
  - vc2019.exe (PID: 6896)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
  - drvinst.exe (PID: 3984)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6756)
  - VoiceAI.exe (PID: 520)
- The sample compiled with english language support
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - vc2019.exe (PID: 6896)
  - vc2019.exe (PID: 6920)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
- Reads the machine GUID from the registry
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 520)
  - VoiceAI.exe (PID: 6756)
- Reads the computer name
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - vc2019.exe (PID: 6920)
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
  - drvinst.exe (PID: 1688)
  - drvinst.exe (PID: 3984)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6756)
  - VoiceAI.exe (PID: 520)
- Reads the software policy settings
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - drvinst.exe (PID: 1688)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 520)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 6756)
- Checks proxy server information
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
- Creates files or folders in the user directory
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6384)
- Creates files in the program directory
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
- Create files in a temporary directory
  - vc2019.exe (PID: 6920)
  - VoiceAI.exe (PID: 6968)
  - Voice.ai-Downloader.exe (PID: 6180)
  - VoiceAI-Installer.exe (PID: 6772)
  - VoiceAI.exe (PID: 6012)
- Reads Environment values
  - VoiceAI.exe (PID: 6968)
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6284)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 6384)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6660)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 3732)
  - VoiceAI.exe (PID: 6756)
  - VoiceAI.exe (PID: 520)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5320)
- Process checks computer location settings
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 6528)
  - VoiceAI.exe (PID: 6380)
  - VoiceAI.exe (PID: 6756)
- .NET Reactor protector has been detected
  - VoiceAI.exe (PID: 6012)
  - VoiceAI.exe (PID: 3564)
  - VoiceAI.exe (PID: 2072)
  - VoiceAI.exe (PID: 6384)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	162816
UninitializedDataSize:	1024
EntryPoint:	0x33b3
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

520

"C:\Program Files\Voice.ai\VoiceAI.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Voice.ai\debug.log" --mojo-platform-channel-handle=3856 --field-trial-handle=2660,i,1184594912798034307,9380011464542674876,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=6012

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.41.4

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1580

"C:\WINDOWS\explorer.exe" "C:\Program Files\Voice.ai\VoiceAI.exe"

C:\Windows\explorer.exe

—

VoiceAI-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

1688

DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{d93171a0-6234-544f-8a95-1fc4b265d2ba}\voiceaidriver.inf" "9" "46b7f3743" "00000000000001D8" "WinSta0\Default" "00000000000001F0" "208" "c:\program files\voice.ai\voiceaidriver"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

2072

"C:\Program Files\Voice.ai\VoiceAI.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voice.ai\debug.log" --mojo-platform-channel-handle=3288 --field-trial-handle=2660,i,1184594912798034307,9380011464542674876,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=6012

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.41.4

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3564

"C:/Program Files/Voice.ai/VoiceAI.exe" discord 6012

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.41.4

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3732

"C:\Program Files\Voice.ai\VoiceAI.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\Voice.ai\debug.log" --mojo-platform-channel-handle=3568 --field-trial-handle=2660,i,1184594912798034307,9380011464542674876,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=6012

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.41.4

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3984

DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:ed86ca11bfc96d40:VOICEAIDRIVER_SA:16.36.0.99:root\voiceaidriver," "46b7f3743" "00000000000001D8"

C:\Windows\System32\drvinst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

5092

"C:\Users\admin\Desktop\Voice.ai-Downloader.exe"

C:\Users\admin\Desktop\Voice.ai-Downloader.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\voice.ai-downloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5320

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

6012

"C:\Program Files\Voice.ai\VoiceAI.exe"

C:\Program Files\Voice.ai\VoiceAI.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.41.4

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

49 684

Read events

49 024

Write events

651

Delete events

Modification events


(PID) Process:	(6180) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6180) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6180) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6180) Voice.ai-Downloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Voice.ai\Voice.ai Voice Changer
Operation:	write	Name:	InstallId
Value: A-99bcdab3-4be3-43db-bac4-9010d527b72d
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voice.ai
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\Voice.ai\uninstall.exe"
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voice.ai
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\Voice.ai\uninstall.exe" /S
(PID) Process:	(6772) VoiceAI-Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voice.ai
Operation:	write	Name:	InstallLocation
Value: "C:\Program Files\Voice.ai"

Add for printing

Executable files

Suspicious files

211

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\nsz55F4.tmp\System.dll		executable
		MD5:792B6F86E296D3904285B2BF67CCD7E0	SHA256:C7A20BCAA0197AEDDDC8E4797BBB33FDF70D980F5E83C203D148121C2106D917
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:0BAE895B71FE83D91DFE32E08C3C3669	SHA256:D2126C484D166541E52775E4C8F5B46B76D902B1C6FCBE6B1F83EF85F3E5B664
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Voice.ai-Installer[1].exe		—
		MD5:—	SHA256:—
6180	Voice.ai-Downloader.exe	C:\Program Files\Voice.ai\VoiceAI-Installer.exe		—
		MD5:—	SHA256:—
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_06BAAB4B106148BBEEB533DB7B1C6AE1		binary
		MD5:A060A1FB68261D73227B854A519FFB56	SHA256:3319D2F0B8B8D182E5AA215D62A242BF24C269B7B9B2EECE8562D475D88B7699
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		binary
		MD5:FBA14777608D2354CE778753161B4B2C	SHA256:6028E136655CE6746C167AE7860D03903605D892AC789CEEF535DAB75F0027CE
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:B544E179CD8050349FE0B9A1DF875C1C	SHA256:0B7627742D00DA6F7E0A67A4F41F53598D72AFD0FFC741162CC9C013C708C1D0
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\vai-id.log		text
		MD5:309D46EE962317F6D7B8B3EB5866A519	SHA256:BF28046639407A9FF6B715E5A15F42599C85F5249B0741A4893FFBD4348519DB
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\user-event[1].json		binary
		MD5:7363E85FE9EDEE6F053A4B319588C086	SHA256:C955E57777EC0D73639DCA6748560D00AA5EB8E12F13EBB2ED9656ADD3908F97
6180	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		binary
		MD5:A2D8DD08F467B93BEEB9F1968A6B7486	SHA256:BF01309588DC0C5D28D28609CF24AF4D41C0B710147D7B72FE42B137331A1EB6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.77.197.149:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	23.77.197.149:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	2.20.118.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.20.118.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.20.118.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.51.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6180	Voice.ai-Downloader.exe	GET	200	23.51.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D	unknown	—	—	whitelisted
6180	Voice.ai-Downloader.exe	GET	200	23.51.98.7:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAEmdZX6cPAWee2YZvzFMPY%3D	unknown	—	—	whitelisted
6968	VoiceAI.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	—	—	whitelisted
6180	Voice.ai-Downloader.exe	GET	200	142.250.178.131:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.77.197.149:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
4308	svchost.exe	23.77.197.149:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
5064	SearchApp.exe	2.22.251.22:443	www.bing.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.20.118.102:80	www.microsoft.com	RCS & RDS	RO	whitelisted
4308	svchost.exe	2.20.118.102:80	www.microsoft.com	RCS & RDS	RO	whitelisted
—	—	2.20.118.102:80	www.microsoft.com	RCS & RDS	RO	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.51.98.7:80	ocsp.digicert.com	Akamai International B.V.	US	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.77.197.149	whitelisted
www.bing.com	2.22.251.22	whitelisted
google.com	142.250.179.110	whitelisted
www.microsoft.com	2.20.118.102	whitelisted
ocsp.digicert.com	23.51.98.7	whitelisted
sv.voice.ai	54.242.46.35	unknown
status.rapidssl.com	23.51.98.7	whitelisted
voice.ai	104.26.6.223	unknown
c.pki.goog	142.250.178.131	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted

Threats

PID	Process	Class	Message
6384	VoiceAI.exe	Not Suspicious Traffic	INFO [ANY.RUN] Global content delivery network (unpkg .com)

Add for printing

No debug info

General Info

Voice.ai-Downloader.exe

40FFAEA0C96BC8FD1AC022ECF287980B

C9FF64FECEE39AA1A4F1C930D6B6AD423E1B1C14

100DBA151EFE66C842FDE4337857FD3DB4568C1E3EE008E412927E67ED72094E

12288:NFl/zbr+CSgb1cLlmei0PPiKGjgQ5l2yLGwNtRl5Y9zMDIBEHgdwPRM3EFtSCy+B:bl/zbr+CSgb1cLlmei0PPiKGjgSl2yLL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Starts a Microsoft application from unusual location

Searches for installed software

Creates a software uninstall entry

Adds/modifies Windows certificates

Creates files in the driver directory

Creates or modifies Windows services

Explorer used for Indirect Command Execution

Application launched itself

INFO

Checks supported languages

The sample compiled with english language support

Reads the machine GUID from the registry

Reads the computer name

Reads the software policy settings

Checks proxy server information

Creates files or folders in the user directory

Creates files in the program directory

Create files in a temporary directory

Reads Environment values

Reads security settings of Internet Explorer

Process checks computer location settings

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests