File name:

VoicemodInstaller_1.2.15-c48zwu.exe

Full analysis: https://app.any.run/tasks/908a03c8-4b64-408e-a188-81c274bb3429
Verdict: Malicious activity
Analysis date: November 17, 2024, 04:21:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

CAB9A73D8852F4A669FC1830430D1C20

SHA1:

DA2B1AE46064DE0247FD46582132A3001578EBC4

SHA256:

32769083882BB85047E50541314073339CBE2CCB7CE044A88C27A5751CCD8B03

SSDEEP:

98304:dbUtdqZ3FWMo0iHNEGRltHg5YZz/6Pf8FMdJDxDBwcMSdObOS/Hro1e4Kv+BG/6m:04tlZLqt3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2444)

    • Changes the autorun value in the registry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • Starts NET.EXE for service management

      • net.exe (PID: 1952)
      • net.exe (PID: 5816)
      • cmd.exe (PID: 6180)
      • net.exe (PID: 2808)
      • net.exe (PID: 6540)
      • net.exe (PID: 1112)
      • net.exe (PID: 4684)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Reads security settings of Internet Explorer

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • voicemodcon.exe (PID: 6664)

    • Reads the Windows owner or organization settings

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • Get information on the list of running processes

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • cmd.exe (PID: 2280)

    • Starts CMD.EXE for commands execution

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • powershell.exe (PID: 2444)
      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 920)

    • Drops a system driver (possible attempt to evade defenses)

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Starts process via Powershell

      • powershell.exe (PID: 2444)

    • Executing commands from a ".bat" file

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • powershell.exe (PID: 2444)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2780)
      • cmd.exe (PID: 3004)

    • Application launched itself

      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 3276)

    • Checks Windows Trust Settings

      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 5912)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5928)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 1440)
      • cmd.exe (PID: 6848)
      • cmd.exe (PID: 3744)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 5928)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 1440)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3744)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 7096)
      • cmd.exe (PID: 1752)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6764)
      • cmd.exe (PID: 2632)
      • cmd.exe (PID: 6408)
      • cmd.exe (PID: 2808)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6848)

  • INFO

    • Checks supported languages

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • curl.exe (PID: 7104)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 4232)
      • curl.exe (PID: 4224)
      • curl.exe (PID: 6624)
      • curl.exe (PID: 1788)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 6236)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 6192)
      • curl.exe (PID: 7088)
      • curl.exe (PID: 1204)
      • curl.exe (PID: 920)
      • curl.exe (PID: 764)
      • curl.exe (PID: 6912)
      • curl.exe (PID: 1372)
      • curl.exe (PID: 712)
      • curl.exe (PID: 6332)
      • SaveDefaultDevices.exe (PID: 2928)
      • voicemodcon.exe (PID: 6404)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 4316)
      • AudioEndPointTool.exe (PID: 6264)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 2864)
      • AudioEndPointTool.exe (PID: 6268)
      • AudioEndPointTool.exe (PID: 6160)
      • AudioEndPointTool.exe (PID: 6488)
      • curl.exe (PID: 6188)
      • curl.exe (PID: 1804)
      • curl.exe (PID: 608)
      • curl.exe (PID: 2684)
      • curl.exe (PID: 6696)
      • curl.exe (PID: 6044)
      • curl.exe (PID: 1584)
      • Voicemod.exe (PID: 5944)
      • avx-checker.exe (PID: 1880)
      • curl.exe (PID: 5068)
      • crashpad_handler.exe (PID: 6124)
      • curl.exe (PID: 2300)
      • curl.exe (PID: 1280)

    • Create files in a temporary directory

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6404)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 4316)
      • voicemodcon.exe (PID: 6664)
      • AudioEndPointTool.exe (PID: 6264)
      • AudioEndPointTool.exe (PID: 6268)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 2864)
      • AudioEndPointTool.exe (PID: 6160)
      • AudioEndPointTool.exe (PID: 6488)
      • crashpad_handler.exe (PID: 6124)
      • Voicemod.exe (PID: 5944)

    • Process checks computer location settings

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)

    • Reads the computer name

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • curl.exe (PID: 7104)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 4232)
      • curl.exe (PID: 6624)
      • curl.exe (PID: 4224)
      • curl.exe (PID: 1788)
      • curl.exe (PID: 6236)
      • curl.exe (PID: 1204)
      • curl.exe (PID: 6192)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 7088)
      • curl.exe (PID: 712)
      • curl.exe (PID: 920)
      • curl.exe (PID: 1372)
      • curl.exe (PID: 764)
      • curl.exe (PID: 6912)
      • curl.exe (PID: 6332)
      • SaveDefaultDevices.exe (PID: 2928)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 4316)
      • AudioEndPointTool.exe (PID: 6264)
      • voicemodcon.exe (PID: 6664)
      • curl.exe (PID: 6164)
      • drvinst.exe (PID: 5912)
      • drvinst.exe (PID: 4448)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 2864)
      • AudioEndPointTool.exe (PID: 6488)
      • AudioEndPointTool.exe (PID: 6160)
      • AudioEndPointTool.exe (PID: 6268)
      • curl.exe (PID: 6188)
      • curl.exe (PID: 1804)
      • curl.exe (PID: 608)
      • curl.exe (PID: 2684)
      • curl.exe (PID: 6044)
      • curl.exe (PID: 6696)
      • curl.exe (PID: 1584)
      • Voicemod.exe (PID: 5944)
      • curl.exe (PID: 5068)
      • curl.exe (PID: 1280)
      • curl.exe (PID: 2300)

    • Reads the machine GUID from the registry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • Voicemod.exe (PID: 5944)

    • Creates files in the program directory

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • SaveDefaultDevices.exe (PID: 2928)
      • cmd.exe (PID: 6180)

    • Creates files or folders in the user directory

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • Voicemod.exe (PID: 5944)

    • The process uses the downloaded file

      • powershell.exe (PID: 2444)

    • Creates a software uninstall entry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • Reads the software policy settings

      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • Voicemod.exe (PID: 5944)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6704)
      • WMIC.exe (PID: 5912)
      • WMIC.exe (PID: 6432)

    • Reads Environment values

      • Voicemod.exe (PID: 5944)

    • Sends debugging messages

      • Voicemod.exe (PID: 5944)

    • Reads CPU info

      • Voicemod.exe (PID: 5944)

    • Checks proxy server information

      • Voicemod.exe (PID: 5944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:17 06:07:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 156160
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Voicemod Inc., Sucursal en España
FileDescription: Voicemod Setup
FileVersion:
LegalCopyright: � 2024 Voicemod Inc., Sucursal en España - Version 1.2.15
OriginalFileName:
ProductName: Voicemod
ProductVersion: 1.2.15
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
273
Monitored processes
141
Malicious processes
20
Suspicious processes
3

Behavior graph

Click at the process to see the details
start voicemodinstaller_1.2.15-c48zwu.exe voicemodinstaller_1.2.15-c48zwu.tmp no specs voicemodinstaller_1.2.15-c48zwu.exe voicemodinstaller_1.2.15-c48zwu.tmp curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs savedefaultdevices.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs voicemodcon.exe no specs net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs voicemodcon.exe drvinst.exe drvinst.exe net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs avx-checker.exe no specs conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs voicemod.exe crashpad_handler.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
35
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
624findstr /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
712"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
764"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
916\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
920"C:\WINDOWS\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\dumpInfo.bat""C:\Windows\System32\cmd.exeVoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
Total events
36 467
Read events
35 813
Write events
647
Delete events
7

Modification events

(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:DownloadId
Value:
c48zwu
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Voicemod V3
Operation:writeName:TermsAcceptedDate
Value:
2024/11/17
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:VoicemodV3
Value:
"C:\Program Files\Voicemod V3\Voicemod.exe"
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:InstallPath
Value:
C:\Program Files\Voicemod V3
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:Language
Value:
en
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\voicemod
Operation:writeName:URL Protocol
Value:
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Voicemod V3
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Voicemod V3\
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Voicemod V3
Executable files
41
Suspicious files
22
Text files
58
Unknown types
2

Dropped files

PID
Process
Filename
Type
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\bg-inner.pngimage
MD5:A034EEAF19BB82B2AE63F4FA10C26476
SHA256:8FE4A3F95D5309E692C4142F460BEBE4E4E24844F5A2071D466BD964C5D04DCF
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\mvvad.inftext
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
5604VoicemodInstaller_1.2.15-c48zwu.exeC:\Users\admin\AppData\Local\Temp\is-4J15R.tmp\VoicemodInstaller_1.2.15-c48zwu.tmpexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
2280cmd.exeC:\Users\admin\AppData\Local\Temp\tasklist_unins000.exe.txttext
MD5:93348A0820E06A50FD4129C7EBD8E617
SHA256:805C2A4ECA132BFFC45008C5B85BA8EC692CE51E5BE7B0045E2C0F431543A5A0
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\mvvad.infini
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\is-CTQQI.tmpcat
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\unins000.exeexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\is-UL6KE.tmpexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\mvvad.catcat
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
56
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6908
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
204
92.123.104.31:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
204
92.123.104.32:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
202
34.194.27.147:443
https://s2s.mparticle.com/v2/events
unknown
whitelisted
POST
200
35.244.178.73:443
https://sentry.voicemod.net/api/99/envelope/
unknown
binary
41 b
whitelisted
POST
200
35.244.178.73:443
https://sentry.voicemod.net/api/99/envelope/
unknown
binary
41 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6908
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6908
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
api.voicemod.net
  • 35.205.157.23
whitelisted
s2s.mparticle.com
  • 52.6.249.145
  • 44.195.71.93
  • 34.194.27.147
  • 34.193.166.210
  • 18.213.194.133
  • 18.214.153.156
  • 3.225.195.147
  • 44.199.14.103
  • 54.87.93.102
  • 44.206.200.33
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted
sentry.voicemod.net
  • 35.244.178.73
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
Process
Message
Voicemod.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VoicemodInstaller_1.2.15-c48zwu.exe