File name:

VoicemodInstaller_1.2.15-c48zwu.exe

Full analysis: https://app.any.run/tasks/908a03c8-4b64-408e-a188-81c274bb3429
Verdict: Malicious activity
Analysis date: November 17, 2024, 04:21:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

CAB9A73D8852F4A669FC1830430D1C20

SHA1:

DA2B1AE46064DE0247FD46582132A3001578EBC4

SHA256:

32769083882BB85047E50541314073339CBE2CCB7CE044A88C27A5751CCD8B03

SSDEEP:

98304:dbUtdqZ3FWMo0iHNEGRltHg5YZz/6Pf8FMdJDxDBwcMSdObOS/Hro1e4Kv+BG/6m:04tlZLqt3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2444)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6180)
      • net.exe (PID: 5816)
      • net.exe (PID: 1952)
      • net.exe (PID: 2808)
      • net.exe (PID: 1112)
      • net.exe (PID: 6540)
      • net.exe (PID: 4684)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Reads security settings of Internet Explorer

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • voicemodcon.exe (PID: 6664)

    • Reads the Windows owner or organization settings

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • Get information on the list of running processes

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • cmd.exe (PID: 2280)

    • Starts CMD.EXE for commands execution

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • powershell.exe (PID: 2444)
      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 920)

    • Executing commands from a ".bat" file

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • powershell.exe (PID: 2444)

    • Starts process via Powershell

      • powershell.exe (PID: 2444)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2780)
      • cmd.exe (PID: 3004)

    • Application launched itself

      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 3276)

    • Drops a system driver (possible attempt to evade defenses)

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Checks Windows Trust Settings

      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4448)
      • drvinst.exe (PID: 5912)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 5912)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 5928)
      • cmd.exe (PID: 4012)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5928)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 6848)
      • cmd.exe (PID: 1440)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3744)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6848)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 7096)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6764)
      • cmd.exe (PID: 6408)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 2632)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 1440)

  • INFO

    • Create files in a temporary directory

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • voicemodcon.exe (PID: 6404)
      • AudioEndPointTool.exe (PID: 4316)
      • AudioEndPointTool.exe (PID: 6264)
      • voicemodcon.exe (PID: 6664)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 2864)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 6488)
      • AudioEndPointTool.exe (PID: 6268)
      • AudioEndPointTool.exe (PID: 6160)
      • crashpad_handler.exe (PID: 6124)
      • Voicemod.exe (PID: 5944)

    • Checks supported languages

      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 6132)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • VoicemodInstaller_1.2.15-c48zwu.exe (PID: 5604)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • curl.exe (PID: 7104)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 4224)
      • curl.exe (PID: 1788)
      • curl.exe (PID: 6236)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 7088)
      • curl.exe (PID: 4232)
      • curl.exe (PID: 6624)
      • curl.exe (PID: 6192)
      • curl.exe (PID: 920)
      • curl.exe (PID: 6912)
      • curl.exe (PID: 764)
      • curl.exe (PID: 712)
      • curl.exe (PID: 1372)
      • curl.exe (PID: 6332)
      • curl.exe (PID: 1204)
      • SaveDefaultDevices.exe (PID: 2928)
      • voicemodcon.exe (PID: 6404)
      • AudioEndPointTool.exe (PID: 4316)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 6264)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • AudioEndPointTool.exe (PID: 2864)
      • drvinst.exe (PID: 5912)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 6268)
      • AudioEndPointTool.exe (PID: 6488)
      • AudioEndPointTool.exe (PID: 6160)
      • curl.exe (PID: 6188)
      • curl.exe (PID: 1804)
      • curl.exe (PID: 5068)
      • avx-checker.exe (PID: 1880)
      • curl.exe (PID: 2684)
      • curl.exe (PID: 6696)
      • curl.exe (PID: 1584)
      • curl.exe (PID: 6044)
      • Voicemod.exe (PID: 5944)
      • curl.exe (PID: 608)
      • crashpad_handler.exe (PID: 6124)
      • curl.exe (PID: 1280)
      • curl.exe (PID: 2300)

    • Process checks computer location settings

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)

    • Reads the computer name

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6216)
      • curl.exe (PID: 7104)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 4224)
      • curl.exe (PID: 4232)
      • curl.exe (PID: 1788)
      • curl.exe (PID: 6624)
      • curl.exe (PID: 6236)
      • curl.exe (PID: 3524)
      • curl.exe (PID: 6912)
      • curl.exe (PID: 6192)
      • curl.exe (PID: 1372)
      • curl.exe (PID: 920)
      • curl.exe (PID: 712)
      • curl.exe (PID: 6332)
      • curl.exe (PID: 764)
      • curl.exe (PID: 7088)
      • curl.exe (PID: 1204)
      • SaveDefaultDevices.exe (PID: 2928)
      • AudioEndPointTool.exe (PID: 5160)
      • AudioEndPointTool.exe (PID: 4316)
      • AudioEndPointTool.exe (PID: 6264)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • AudioEndPointTool.exe (PID: 2864)
      • drvinst.exe (PID: 5912)
      • AudioEndPointTool.exe (PID: 2796)
      • AudioEndPointTool.exe (PID: 6268)
      • AudioEndPointTool.exe (PID: 6488)
      • AudioEndPointTool.exe (PID: 6160)
      • curl.exe (PID: 6188)
      • curl.exe (PID: 1804)
      • curl.exe (PID: 608)
      • curl.exe (PID: 2684)
      • curl.exe (PID: 6696)
      • curl.exe (PID: 6044)
      • curl.exe (PID: 1584)
      • Voicemod.exe (PID: 5944)
      • curl.exe (PID: 5068)
      • curl.exe (PID: 1280)
      • curl.exe (PID: 2300)

    • Reads the machine GUID from the registry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • Voicemod.exe (PID: 5944)

    • Creates files in the program directory

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • SaveDefaultDevices.exe (PID: 2928)
      • cmd.exe (PID: 6180)

    • Creates a software uninstall entry

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)

    • The process uses the downloaded file

      • powershell.exe (PID: 2444)

    • Creates files or folders in the user directory

      • VoicemodInstaller_1.2.15-c48zwu.tmp (PID: 6256)
      • Voicemod.exe (PID: 5944)

    • Reads the software policy settings

      • voicemodcon.exe (PID: 6664)
      • drvinst.exe (PID: 4448)
      • Voicemod.exe (PID: 5944)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6432)
      • WMIC.exe (PID: 5912)
      • WMIC.exe (PID: 6704)

    • Checks proxy server information

      • Voicemod.exe (PID: 5944)

    • Reads Environment values

      • Voicemod.exe (PID: 5944)

    • Sends debugging messages

      • Voicemod.exe (PID: 5944)

    • Reads CPU info

      • Voicemod.exe (PID: 5944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:17 06:07:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 156160
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Voicemod Inc., Sucursal en España
FileDescription: Voicemod Setup
FileVersion:
LegalCopyright: � 2024 Voicemod Inc., Sucursal en España - Version 1.2.15
OriginalFileName:
ProductName: Voicemod
ProductVersion: 1.2.15
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
273
Monitored processes
141
Malicious processes
20
Suspicious processes
3

Behavior graph

Click at the process to see the details
start voicemodinstaller_1.2.15-c48zwu.exe voicemodinstaller_1.2.15-c48zwu.tmp no specs voicemodinstaller_1.2.15-c48zwu.exe voicemodinstaller_1.2.15-c48zwu.tmp curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs savedefaultdevices.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs voicemodcon.exe no specs net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs voicemodcon.exe drvinst.exe drvinst.exe net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs avx-checker.exe no specs conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs voicemod.exe crashpad_handler.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
35
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
624findstr /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
712"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
764"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
916\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
920"C:\WINDOWS\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\dumpInfo.bat""C:\Windows\System32\cmd.exeVoicemodInstaller_1.2.15-c48zwu.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
Total events
36 467
Read events
35 813
Write events
647
Delete events
7

Modification events

(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:DownloadId
Value:
c48zwu
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Voicemod V3
Operation:writeName:TermsAcceptedDate
Value:
2024/11/17
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:VoicemodV3
Value:
"C:\Program Files\Voicemod V3\Voicemod.exe"
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:InstallPath
Value:
C:\Program Files\Voicemod V3
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:Language
Value:
en
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\voicemod
Operation:writeName:URL Protocol
Value:
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Voicemod V3
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Voicemod V3\
(PID) Process:(6256) VoicemodInstaller_1.2.15-c48zwu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Voicemod V3
Executable files
41
Suspicious files
22
Text files
58
Unknown types
2

Dropped files

PID
Process
Filename
Type
6132VoicemodInstaller_1.2.15-c48zwu.exeC:\Users\admin\AppData\Local\Temp\is-7LKMH.tmp\VoicemodInstaller_1.2.15-c48zwu.tmpexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
5604VoicemodInstaller_1.2.15-c48zwu.exeC:\Users\admin\AppData\Local\Temp\is-4J15R.tmp\VoicemodInstaller_1.2.15-c48zwu.tmpexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\mvvad.inftext
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\mvvad.infini
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\is-CTQQI.tmpcat
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Users\admin\AppData\Local\Temp\is-QJNQL.tmp\botva2.dllexecutable
MD5:0177746573EED407F8DCA8A9E441AA49
SHA256:A4B61626A1626FDABEC794E4F323484AA0644BAA1C905A5DCF785DC34564F008
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\is-UL6KE.tmpexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\unins000.exeexecutable
MD5:40FEA1FD83A62CE9D0E978132211D873
SHA256:F3E685449311A56D26FEA9C398637489BDDE8DE076B2EA4411A00CFB676B0916
6256VoicemodInstaller_1.2.15-c48zwu.tmpC:\Program Files\Voicemod V3\driver\mvvad.sysexecutable
MD5:EDD104527F5F56C8F890ABD915BB636C
SHA256:BA6C3BBB1BFFC04409983F4EAAFF103F8F9F8E044F35A0589F969113BBDB96DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
56
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6908
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6908
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
92.123.104.31:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
204
92.123.104.32:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
202
34.194.27.147:443
https://s2s.mparticle.com/v2/events
unknown
whitelisted
POST
200
35.244.178.73:443
https://sentry.voicemod.net/api/99/envelope/
unknown
binary
41 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6908
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6908
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
api.voicemod.net
  • 35.205.157.23
whitelisted
s2s.mparticle.com
  • 52.6.249.145
  • 44.195.71.93
  • 34.194.27.147
  • 34.193.166.210
  • 18.213.194.133
  • 18.214.153.156
  • 3.225.195.147
  • 44.199.14.103
  • 54.87.93.102
  • 44.206.200.33
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted
sentry.voicemod.net
  • 35.244.178.73
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
Process
Message
Voicemod.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VoicemodInstaller_1.2.15-c48zwu.exe