File name:

VoicemodInstaller_1.3.1-h8fxkg.exe

Full analysis: https://app.any.run/tasks/a3a16b5c-db51-424c-96b9-54dc24d4c486
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 14, 2025, 19:39:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

20F3E9BC331E58234552A551F7A1A5C4

SHA1:

5B7DC5ACFD6F0374B144E7246F525B03721AA39F

SHA256:

3EA0876BCD4A56AE6CA3F21E3441DE513553CA8B0CA5179C6CB377FB707FDBF9

SSDEEP:

98304:GbU3dqZ3FWMo0iHNEGRltHg5YZz/6Pf8FMdJDxDBwcMSdObOS/Hro1e4Kv+BG/6w:d1Jsh8ftkHb4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3700)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2396)
      • net.exe (PID: 4976)
      • net.exe (PID: 3172)
      • net.exe (PID: 3612)
      • net.exe (PID: 1556)
      • net.exe (PID: 2928)
      • net.exe (PID: 3152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 3560)
      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 5548)
      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • voicemodcon.exe (PID: 5576)
      • drvinst.exe (PID: 1188)
      • drvinst.exe (PID: 4668)

    • Reads security settings of Internet Explorer

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 1356)

    • Get information on the list of running processes

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • cmd.exe (PID: 3952)

    • Starts CMD.EXE for commands execution

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • powershell.exe (PID: 3700)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 4336)
      • cmd.exe (PID: 3260)

    • Executing commands from a ".bat" file

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • powershell.exe (PID: 3700)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 4708)

    • Starts process via Powershell

      • powershell.exe (PID: 3700)

    • Application launched itself

      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 4336)
      • cmd.exe (PID: 3260)

    • Drops a system driver (possible attempt to evade defenses)

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • voicemodcon.exe (PID: 5576)
      • drvinst.exe (PID: 4668)
      • drvinst.exe (PID: 1188)

    • Creates files in the driver directory

      • drvinst.exe (PID: 1188)
      • drvinst.exe (PID: 4668)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 3700)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 1348)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 3988)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 4164)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3988)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 1876)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 1856)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 736)
      • cmd.exe (PID: 2632)

    • Uses WMIC.EXE

      • cmd.exe (PID: 2148)

  • INFO

    • Create files in a temporary directory

      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 3560)
      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 5548)
      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • voicemodcon.exe (PID: 2828)
      • voicemodcon.exe (PID: 5576)
      • AudioEndPointTool.exe (PID: 5212)
      • AudioEndPointTool.exe (PID: 3732)
      • AudioEndPointTool.exe (PID: 5252)
      • AudioEndPointTool.exe (PID: 5212)
      • AudioEndPointTool.exe (PID: 4684)
      • AudioEndPointTool.exe (PID: 4020)
      • AudioEndPointTool.exe (PID: 5028)
      • crashpad_handler.exe (PID: 488)
      • Voicemod.exe (PID: 4392)

    • Checks supported languages

      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 3560)
      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 1356)
      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • VoicemodInstaller_1.3.1-h8fxkg.exe (PID: 5548)
      • curl.exe (PID: 2996)
      • curl.exe (PID: 5208)
      • curl.exe (PID: 2088)
      • curl.exe (PID: 3260)
      • curl.exe (PID: 4512)
      • curl.exe (PID: 5092)
      • curl.exe (PID: 1904)
      • curl.exe (PID: 4128)
      • curl.exe (PID: 4684)
      • curl.exe (PID: 2396)
      • curl.exe (PID: 4388)
      • SaveDefaultDevices.exe (PID: 4548)
      • AudioEndPointTool.exe (PID: 3772)
      • AudioEndPointTool.exe (PID: 3732)
      • AudioEndPointTool.exe (PID: 5212)
      • voicemodcon.exe (PID: 5576)
      • voicemodcon.exe (PID: 2828)
      • AudioEndPointTool.exe (PID: 4684)
      • avx-checker.exe (PID: 2996)
      • curl.exe (PID: 5576)
      • curl.exe (PID: 1944)
      • Voicemod.exe (PID: 4392)

    • Process checks computer location settings

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 1356)

    • Reads the computer name

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 1356)
      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • curl.exe (PID: 5208)
      • curl.exe (PID: 1760)
      • curl.exe (PID: 3260)
      • curl.exe (PID: 4128)
      • curl.exe (PID: 4684)
      • curl.exe (PID: 4512)
      • SaveDefaultDevices.exe (PID: 4548)
      • curl.exe (PID: 2396)
      • curl.exe (PID: 5576)
      • Voicemod.exe (PID: 4392)
      • curl.exe (PID: 1476)

    • Execution of CURL command

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)

    • Reads the machine GUID from the registry

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • voicemodcon.exe (PID: 5576)
      • drvinst.exe (PID: 1188)

    • The sample compiled with russian language support

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)

    • Creates files or folders in the user directory

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)

    • The sample compiled with english language support

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)
      • voicemodcon.exe (PID: 5576)
      • drvinst.exe (PID: 4668)
      • drvinst.exe (PID: 1188)

    • Creates files in the program directory

      • VoicemodInstaller_1.3.1-h8fxkg.tmp (PID: 5472)

    • Reads the software policy settings

      • voicemodcon.exe (PID: 5576)
      • drvinst.exe (PID: 1188)
      • Voicemod.exe (PID: 4392)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3612)

    • Checks proxy server information

      • Voicemod.exe (PID: 4392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:17 06:07:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 156160
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Voicemod Inc., Sucursal en España
FileDescription: Voicemod Setup
FileVersion:
LegalCopyright: � 2025 Voicemod Inc., Sucursal en España - Version 1.3.1
OriginalFileName:
ProductName: Voicemod
ProductVersion: 1.3.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
267
Monitored processes
141
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start voicemodinstaller_1.3.1-h8fxkg.exe voicemodinstaller_1.3.1-h8fxkg.tmp no specs voicemodinstaller_1.3.1-h8fxkg.exe voicemodinstaller_1.3.1-h8fxkg.tmp curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs savedefaultdevices.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs voicemodcon.exe no specs net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs voicemodcon.exe drvinst.exe drvinst.exe net.exe no specs net1.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs avx-checker.exe no specs conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs voicemod.exe curl.exe conhost.exe no specs curl.exe conhost.exe no specs crashpad_handler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\WINDOWS\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\"},\"mp_deviceid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\",\"events\": [{\"data\": {\"event_name\": \"V3 Temp Installer Disabling Driver Failed\" , \"custom_attributes\": { \"version\": \"1.3.1\", \"app_version\": \"1.3.1\", \"machine_guid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\", \"country\": \"United States\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19045)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"h8fxkg\",\"error_code\": \"0,-1\",\"cpu_name\": \"Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\", \"memory_size\": \"3 GB\", \"antivirus_name\": \"Windows Defender\", \"audio_devices\": \"[\\\"Realtek AC'97 Audio\\\",\\\"Voicemod Virtual Audio Device (WDM)\\\"]\" }},\"event_type\": \"custom_event\"}],\"ip\": \"\",\"environment\": \"production\"}"C:\Windows\System32\curl.exe
VoicemodInstaller_1.3.1-h8fxkg.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
372"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.3.1-h8fxkg.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
372"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.3.1-h8fxkg.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\Program Files\Voicemod V3\crashpad_handler.exe" --no-rate-limit --database=C:\Users\admin\AppData\Local\Temp\.voicemod-launcher --metrics-dir=C:\Users\admin\AppData\Local\Temp\.voicemod-launcher --url=https://sentry.voicemod.net:443/api/99/minidump/?sentry_client=sentry.native/0.6.0&sentry_key=8180826154b54352875728e511f6b737 --attachment=C:\Users\admin\AppData\Local\Temp\.voicemod-launcher\7ede587b-262c-4bb7-a022-981848228620.run\__sentry-event --attachment=C:\Users\admin\AppData\Local\Temp\.voicemod-launcher\7ede587b-262c-4bb7-a022-981848228620.run\__sentry-breadcrumb1 --attachment=C:\Users\admin\AppData\Local\Temp\.voicemod-launcher\7ede587b-262c-4bb7-a022-981848228620.run\__sentry-breadcrumb2 --initial-client-data=0x4bc,0x4a4,0x510,0x428,0x4d0,0x7ff7b5b67038,0x7ff7b5b67050,0x7ff7b5b67068C:\Program Files\Voicemod V3\crashpad_handler.exeVoicemod.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\voicemod v3\crashpad_handler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\powrprof.dll
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\WINDOWS\system32\cmd.exe" /C netsh advfirewall firewall delete rule name=all program="C:\Program Files\Voicemod V3\Voicemod.exe"C:\Windows\System32\cmd.exeVoicemodInstaller_1.3.1-h8fxkg.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
848"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.3.1-h8fxkg.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
936C:\WINDOWS\system32\cmd.exe /c "voicemodcon.exe dp_enum"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
936C:\WINDOWS\system32\net1 start audiosrvC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
Total events
36 668
Read events
36 014
Write events
647
Delete events
7

Modification events

(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:DownloadId
Value:
h8fxkg
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Voicemod V3
Operation:writeName:TermsAcceptedDate
Value:
2025/01/14
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:VoicemodV3
Value:
"C:\Program Files\Voicemod V3\Voicemod.exe" --boot
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:InstallPath
Value:
C:\Program Files\Voicemod V3
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:Language
Value:
en
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\voicemod
Operation:writeName:URL Protocol
Value:
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Voicemod V3
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Voicemod V3\
(PID) Process:(5472) VoicemodInstaller_1.3.1-h8fxkg.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Voicemod V3
Executable files
45
Suspicious files
28
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
5548VoicemodInstaller_1.3.1-h8fxkg.exeC:\Users\admin\AppData\Local\Temp\is-JT5RK.tmp\VoicemodInstaller_1.3.1-h8fxkg.tmpexecutable
MD5:735EF84DE3A30943CDB93C53C4FBE32E
SHA256:51265B72871FAB6D4CDB98908563476E30D2317258F365D895C294FE75071724
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Users\admin\AppData\Local\Temp\is-R4L2S.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3560VoicemodInstaller_1.3.1-h8fxkg.exeC:\Users\admin\AppData\Local\Temp\is-SOLFP.tmp\VoicemodInstaller_1.3.1-h8fxkg.tmpexecutable
MD5:735EF84DE3A30943CDB93C53C4FBE32E
SHA256:51265B72871FAB6D4CDB98908563476E30D2317258F365D895C294FE75071724
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\unins000.exeexecutable
MD5:735EF84DE3A30943CDB93C53C4FBE32E
SHA256:51265B72871FAB6D4CDB98908563476E30D2317258F365D895C294FE75071724
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\driver\mvvad.catbinary
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\driver\is-HO5BG.tmpbinary
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\driver\is-QJCVO.tmpini
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\driver\is-BK867.tmpexecutable
MD5:EDD104527F5F56C8F890ABD915BB636C
SHA256:BA6C3BBB1BFFC04409983F4EAAFF103F8F9F8E044F35A0589F969113BBDB96DE
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Program Files\Voicemod V3\driver\is-2T1CQ.tmpexecutable
MD5:331BC2BF689BEDC4496B06B5D7D47BFA
SHA256:7783FAF41C933A01379BE18AC070431C244A95A3BF361897CE471EB4040F63E6
5472VoicemodInstaller_1.3.1-h8fxkg.tmpC:\Users\admin\AppData\Local\Temp\is-R4L2S.tmp\botva2.dllexecutable
MD5:0177746573EED407F8DCA8A9E441AA49
SHA256:A4B61626A1626FDABEC794E4F323484AA0644BAA1C905A5DCF785DC34564F008
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
54
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4536
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4392
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4392
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4392
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEATzysLa6FOM9bIrVaiu4so%3D
unknown
whitelisted
POST
204
2.16.110.171:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
200
35.244.178.73:443
https://sentry.voicemod.net/api/99/envelope/
unknown
binary
41 b
whitelisted
POST
202
34.199.217.16:443
https://s2s.mparticle.com/v2/events
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4536
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4536
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
api.voicemod.net
  • 35.205.157.23
whitelisted
s2s.mparticle.com
  • 34.199.217.16
  • 34.234.6.92
  • 54.144.133.34
  • 54.161.167.221
  • 52.7.164.249
  • 3.209.67.254
  • 52.86.81.103
  • 52.73.140.83
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
sentry.voicemod.net
  • 35.244.178.73
whitelisted
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

No threats detected
Process
Message
Voicemod.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VoicemodInstaller_1.3.1-h8fxkg.exe