Malware analysis Voice.ai-Downloader.exe Malicious activity

Add for printing

File name:	Voice.ai-Downloader.exe
Full analysis:	https://app.any.run/tasks/df0573b2-de1e-4ce0-b285-5d1ca3085c44
Verdict:	Malicious activity
Analysis date:	August 16, 2024, 23:04:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	40FFAEA0C96BC8FD1AC022ECF287980B
SHA1:	C9FF64FECEE39AA1A4F1C930D6B6AD423E1B1C14
SHA256:	100DBA151EFE66C842FDE4337857FD3DB4568C1E3EE008E412927E67ED72094E
SSDEEP:	12288:NFl/zbr+CSgb1cLlmei0PPiKGjgQ5l2yLGwNtRl5Y9zMDIBEHgdwPRM3EFtSCy+B:bl/zbr+CSgb1cLlmei0PPiKGjgSl2yLL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Create files in the Startup directory
  - VoiceAI-Installer.exe (PID: 2768)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 4064)
  - vc2019.exe (PID: 1964)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6692)
- Drops the executable file immediately after the start
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 4064)
  - VoiceAI.exe (PID: 6692)
  - vc2019.exe (PID: 1964)
  - drvinst.exe (PID: 3520)
- Malware-specific behavior (creating "System.dll" in Temp)
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
- Reads security settings of Internet Explorer
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 6404)
- The process creates files with name similar to system file names
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
- Checks Windows Trust Settings
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 6404)
- Drops a system driver (possible attempt to evade defenses)
  - VoiceAI-Installer.exe (PID: 2768)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6692)
- Process drops legitimate windows executable
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 4064)
- Searches for installed software
  - vc2019.exe (PID: 1964)
- Adds/modifies Windows certificates
  - VoiceAI.exe (PID: 6692)
- Starts a Microsoft application from unusual location
  - vc2019.exe (PID: 1964)
- Creates a software uninstall entry
  - VoiceAI-Installer.exe (PID: 2768)
  - Voice.ai-Downloader.exe (PID: 7036)
- Creates files in the driver directory
  - drvinst.exe (PID: 3520)
- Creates or modifies Windows services
  - drvinst.exe (PID: 2388)
- Explorer used for Indirect Command Execution
  - explorer.exe (PID: 3992)
- Application launched itself
  - VoiceAI.exe (PID: 6592)
INFO
- Reads the computer name
  - Voice.ai-Downloader.exe (PID: 7036)
  - TextInputHost.exe (PID: 4004)
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 1964)
  - VoiceAI.exe (PID: 6692)
  - drvinst.exe (PID: 3520)
  - drvinst.exe (PID: 2388)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 6404)
  - identity_helper.exe (PID: 6740)
- Create files in a temporary directory
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 1964)
  - VoiceAI.exe (PID: 6692)
  - VoiceAI.exe (PID: 6592)
- Reads the software policy settings
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 6404)
- Creates files or folders in the user directory
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 5056)
- Reads the machine GUID from the registry
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - VoiceAI.exe (PID: 6592)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 6404)
- Checks proxy server information
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
  - VoiceAI.exe (PID: 6692)
  - VoiceAI.exe (PID: 6592)
- Checks supported languages
  - Voice.ai-Downloader.exe (PID: 7036)
  - TextInputHost.exe (PID: 4004)
  - VoiceAI-Installer.exe (PID: 2768)
  - vc2019.exe (PID: 4064)
  - VoiceAI.exe (PID: 6692)
  - vc2019.exe (PID: 1964)
  - drvinst.exe (PID: 3520)
  - VoiceAI.exe (PID: 6592)
  - drvinst.exe (PID: 2388)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 6404)
  - identity_helper.exe (PID: 6740)
- Creates files in the program directory
  - Voice.ai-Downloader.exe (PID: 7036)
  - VoiceAI-Installer.exe (PID: 2768)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 3032)
- Reads Environment values
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 6636)
  - VoiceAI.exe (PID: 5056)
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 2900)
  - VoiceAI.exe (PID: 6676)
  - VoiceAI.exe (PID: 2268)
  - VoiceAI.exe (PID: 6404)
  - identity_helper.exe (PID: 6740)
- Process checks computer location settings
  - VoiceAI.exe (PID: 5136)
  - VoiceAI.exe (PID: 6592)
  - VoiceAI.exe (PID: 2900)
- Reads Microsoft Office registry keys
  - VoiceAI.exe (PID: 6592)
  - msedge.exe (PID: 5372)
- Application launched itself
  - msedge.exe (PID: 5372)
- .NET Reactor protector has been detected
  - VoiceAI.exe (PID: 5284)
  - VoiceAI.exe (PID: 5740)
  - VoiceAI.exe (PID: 6592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	162816
UninitializedDataSize:	1024
EntryPoint:	0x33b3
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

199

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1344

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2432 --field-trial-handle=2428,i,17206404618123382405,3820608539016103658,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1964

"C:\WINDOWS\Temp\{18F38EB6-758C-45E2-A764-354FBD0B2D92}\.cr\vc2019.exe" -burn.clean.room="C:\Program Files\Voice.ai\tools\vc2019.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552 /q /norestart

C:\Windows\Temp\{18F38EB6-758C-45E2-A764-354FBD0B2D92}\.cr\vc2019.exe

vc2019.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.31.31103

Exit code:

1638

Version:

14.31.31103.0

Modules

Images
c:\windows\temp\{18f38eb6-758c-45e2-a764-354fbd0b2d92}\.cr\vc2019.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2180

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7fffcbb45fd8,0x7fffcbb45fe4,0x7fffcbb45ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2268

"C:\Program Files\Voice.ai\VoiceAI.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Voice.ai\debug.log" --mojo-platform-channel-handle=3660 --field-trial-handle=2668,i,13302062197374032245,9454328702638451682,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=6592

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Exit code:

Version:

0.1.39

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2388

DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:ed86ca11bfc96d40:VOICEAIDRIVER_SA:16.36.0.99:root\voiceaidriver," "46b7f3743" "00000000000001E0"

C:\Windows\System32\drvinst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

2768

"C:\Program Files\Voice.ai\VoiceAI-Installer.exe" /path "C:\Program Files\Voice.ai"

C:\Program Files\Voice.ai\VoiceAI-Installer.exe

Voice.ai-Downloader.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\voice.ai\voiceai-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2900

"C:\Program Files\Voice.ai\VoiceAI.exe" --type=renderer --log-severity=disable --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Program Files\Voice.ai\debug.log" --use-fake-ui-for-media-stream --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3408 --field-trial-handle=2668,i,13302062197374032245,9454328702638451682,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=6592 /prefetch:1

C:\Program Files\Voice.ai\VoiceAI.exe

—

VoiceAI.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Voice.ai - Voice Changer

Version:

0.1.39

Modules

Images
c:\program files\voice.ai\voiceai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3032

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

3520

DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{ade9b9e7-a01e-de42-8002-e8d0378c579c}\voiceaidriver.inf" "9" "46b7f3743" "0000000000000178" "WinSta0\Default" "00000000000001DC" "208" "c:\program files\voice.ai\voiceaidriver"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

3992

"C:\WINDOWS\explorer.exe" "C:\Program Files\Voice.ai\VoiceAI.exe"

C:\Windows\explorer.exe

—

VoiceAI-Installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

63 727

Read events

62 862

Write events

853

Delete events

Modification events


(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7036) Voice.ai-Downloader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Voice.ai\Voice.ai Voice Changer
Operation:	write	Name:	InstallId
Value: A-e8902a66-b931-442f-8097-cedb23558753
(PID) Process:	(2768) VoiceAI-Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2768) VoiceAI-Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

276

Text files

104

Unknown types

Dropped files

PID	Process	Filename		Type
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		der
		MD5:BEFF0E1266318F2472033061188A4801	SHA256:653354AE0416FACF8908C40CF211E172B25639D0B619EF480A79979BD7B32588
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\nsf5512.tmp\INetC.dll		executable
		MD5:2B342079303895C50AF8040A91F30F71	SHA256:2D5D89025911E2E273F90F393624BE4819641DBEE1606DE792362E442E54612F
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Voice.ai-Installer[1].exe		—
		MD5:—	SHA256:—
7036	Voice.ai-Downloader.exe	C:\Program Files\Voice.ai\VoiceAI-Installer.exe		—
		MD5:—	SHA256:—
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\nsf5512.tmp\System.dll		executable
		MD5:792B6F86E296D3904285B2BF67CCD7E0	SHA256:C7A20BCAA0197AEDDDC8E4797BBB33FDF70D980F5E83C203D148121C2106D917
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\nsf5512.tmp\nsProcess.dll		executable
		MD5:05450FACE243B3A7472407B999B03A72	SHA256:95FE9D92512FF2318CC2520311EF9145B2CEE01209AB0E1B6E45C7CE1D4D0E89
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\user-event[1].json		binary
		MD5:7363E85FE9EDEE6F053A4B319588C086	SHA256:C955E57777EC0D73639DCA6748560D00AA5EB8E12F13EBB2ED9656ADD3908F97
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\user-event[1].json		binary
		MD5:7363E85FE9EDEE6F053A4B319588C086	SHA256:C955E57777EC0D73639DCA6748560D00AA5EB8E12F13EBB2ED9656ADD3908F97
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:971C514F84BBA0785F80AA1C23EDFD79	SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
7036	Voice.ai-Downloader.exe	C:\Users\admin\AppData\Local\Temp\vai-installer.log		binary
		MD5:7363E85FE9EDEE6F053A4B319588C086	SHA256:C955E57777EC0D73639DCA6748560D00AA5EB8E12F13EBB2ED9656ADD3908F97

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

138

DNS requests

108

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4920	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7036	Voice.ai-Downloader.exe	GET	200	192.229.221.95:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAtMxJbHC8S4Cvw22aQAQxY%3D	unknown	—	—	whitelisted
4920	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7036	Voice.ai-Downloader.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D	unknown	—	—	whitelisted
7036	Voice.ai-Downloader.exe	GET	200	172.217.18.3:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
7036	Voice.ai-Downloader.exe	GET	200	172.217.18.3:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
6656	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4084	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2468	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	104.126.37.171:443	www.bing.com	Akamai International B.V.	DE	unknown
4920	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4920	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	104.126.37.171 104.126.37.154 104.126.37.128 104.126.37.155 104.126.37.163 104.126.37.139 104.126.37.176 104.126.37.153 104.126.37.170 104.126.37.145 104.126.37.144 104.126.37.123 104.126.37.161 104.126.37.179 104.126.37.152 104.126.37.177	whitelisted
login.live.com	40.126.31.71 20.190.159.0 40.126.31.67 40.126.31.73 20.190.159.68 20.190.159.23 20.190.159.4 20.190.159.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.110.67 40.115.3.253	whitelisted
sv.voice.ai	54.242.46.35	unknown
status.rapidssl.com	192.229.221.95	whitelisted
voice.ai	172.67.71.63 104.26.6.223 104.26.7.223	unknown
c.pki.goog	172.217.18.3	whitelisted

Threats

PID	Process	Class	Message
5056	VoiceAI.exe	Not Suspicious Traffic	INFO [ANY.RUN] Global content delivery network (unpkg .com)
6524	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Global content delivery network (unpkg .com)
6524	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Global content delivery network (unpkg .com)

Add for printing

Process	Message
VoiceAI.exe	32feet.NET: 'InTheHand.Net.Personal, Version=3.5.605.0, Culture=neutral, PublicKeyToken=ea38caa273134499' versions: '3.5.605.0' and '3.5.0605.0'.
VoiceAI.exe	IBtIf using WidcommStBtIf.
VoiceAI.exe	Dependency DLL '32feetWidcomm' status: NotFound.
VoiceAI.exe	System.PlatformNotSupportedException: Microsoft Bluetooth stack not supported (radio).
VoiceAI.exe	System.Reflection.TargetInvocationException: Dependency DLL '32feetWidcomm' status: NotFound. ---> System.PlatformNotSupportedException: Dependency DLL '32feetWidcomm' status: NotFound. ---> System.DllNotFoundException: Unable to load DLL '32feetWidcomm': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
VoiceAI.exe	System.DllNotFoundException: Unable to load DLL 'BsSDK': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

General Info

Voice.ai-Downloader.exe

40FFAEA0C96BC8FD1AC022ECF287980B

C9FF64FECEE39AA1A4F1C930D6B6AD423E1B1C14

100DBA151EFE66C842FDE4337857FD3DB4568C1E3EE008E412927E67ED72094E

12288:NFl/zbr+CSgb1cLlmei0PPiKGjgQ5l2yLGwNtRl5Y9zMDIBEHgdwPRM3EFtSCy+B:bl/zbr+CSgb1cLlmei0PPiKGjgSl2yLL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

SUSPICIOUS

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Malware-specific behavior (creating "System.dll" in Temp)

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Checks Windows Trust Settings

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

Searches for installed software

Adds/modifies Windows certificates

Starts a Microsoft application from unusual location

Creates a software uninstall entry

Creates files in the driver directory

Creates or modifies Windows services

Explorer used for Indirect Command Execution

Application launched itself

INFO

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Checks supported languages

Creates files in the program directory

Reads security settings of Internet Explorer

Reads Environment values

Process checks computer location settings

Reads Microsoft Office registry keys

Application launched itself

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity