File name:

VoicemodInstaller_1.4.3-5s03ml.exe

Full analysis: https://app.any.run/tasks/8c09d1c1-b70d-47e4-8d63-f709b36c81c8
Verdict: Malicious activity
Analysis date: May 17, 2025, 12:42:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

5054B205D86A0C384E4B934DB9D2DB25

SHA1:

405A745924AC38AA03A825537B79712E1A0EE576

SHA256:

661EF1F59258C9FA7574D72BBCD01DD99E14116D0522FD78558824606318B97E

SSDEEP:

98304:pbUEdqZ3FWMo0iHNEGRltHg5YZz/6Pf8FMdJDxDBwcMSdObOS/Hro1e4Kv+BG/6I:KY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2320)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7452)
      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7672)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7824)

    • Reads security settings of Internet Explorer

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)
      • voicemodcon.exe (PID: 5008)
      • Voicemod.exe (PID: 6740)

    • Starts CMD.EXE for commands execution

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • powershell.exe (PID: 2320)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 8032)
      • cmd.exe (PID: 7984)

    • Get information on the list of running processes

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • cmd.exe (PID: 8124)

    • Drops a system driver (possible attempt to evade defenses)

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7824)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 496)
      • cmd.exe (PID: 7260)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 2320)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Starts process via Powershell

      • powershell.exe (PID: 2320)

    • Application launched itself

      • cmd.exe (PID: 680)
      • cmd.exe (PID: 8032)
      • cmd.exe (PID: 7984)

    • Reads the Windows owner or organization settings

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Creates files in the driver directory

      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7824)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 7824)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 7808)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7808)
      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 8188)
      • cmd.exe (PID: 732)
      • cmd.exe (PID: 5640)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 8188)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 732)

    • Uses WMIC.EXE

      • cmd.exe (PID: 5640)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 7580)
      • cmd.exe (PID: 7248)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 7912)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 6572)

  • INFO

    • Reads the computer name

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • curl.exe (PID: 7964)
      • curl.exe (PID: 2284)
      • curl.exe (PID: 7212)
      • curl.exe (PID: 4268)
      • curl.exe (PID: 8052)
      • curl.exe (PID: 5416)
      • curl.exe (PID: 6324)
      • curl.exe (PID: 2980)
      • curl.exe (PID: 7580)
      • curl.exe (PID: 7772)
      • curl.exe (PID: 6148)
      • curl.exe (PID: 7916)
      • curl.exe (PID: 7848)
      • curl.exe (PID: 5324)
      • curl.exe (PID: 2420)
      • curl.exe (PID: 8116)
      • curl.exe (PID: 8024)
      • SaveDefaultDevices.exe (PID: 8164)
      • curl.exe (PID: 6576)
      • AudioEndPointTool.exe (PID: 5404)
      • AudioEndPointTool.exe (PID: 6272)
      • AudioEndPointTool.exe (PID: 4892)
      • AudioEndPointTool.exe (PID: 5344)
      • AudioEndPointTool.exe (PID: 2504)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7824)
      • AudioEndPointTool.exe (PID: 7512)
      • AudioEndPointTool.exe (PID: 7892)
      • drvinst.exe (PID: 7020)
      • AudioEndPointTool.exe (PID: 7960)
      • AudioEndPointTool.exe (PID: 5384)
      • AudioEndPointTool.exe (PID: 8080)
      • AudioEndPointTool.exe (PID: 6252)
      • AudioEndPointTool.exe (PID: 7884)
      • curl.exe (PID: 968)
      • curl.exe (PID: 664)
      • curl.exe (PID: 5984)
      • curl.exe (PID: 6828)
      • curl.exe (PID: 6760)
      • curl.exe (PID: 6988)
      • curl.exe (PID: 7628)
      • curl.exe (PID: 5640)
      • Voicemod.exe (PID: 6740)
      • curl.exe (PID: 5576)
      • curl.exe (PID: 7236)

    • Checks supported languages

      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7452)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)
      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7672)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • curl.exe (PID: 7964)
      • curl.exe (PID: 8052)
      • curl.exe (PID: 7212)
      • curl.exe (PID: 2284)
      • curl.exe (PID: 4268)
      • curl.exe (PID: 5416)
      • curl.exe (PID: 6324)
      • curl.exe (PID: 7580)
      • curl.exe (PID: 2980)
      • curl.exe (PID: 7772)
      • curl.exe (PID: 6148)
      • curl.exe (PID: 7916)
      • curl.exe (PID: 7848)
      • curl.exe (PID: 5324)
      • curl.exe (PID: 2420)
      • curl.exe (PID: 6576)
      • curl.exe (PID: 8024)
      • curl.exe (PID: 8116)
      • SaveDefaultDevices.exe (PID: 8164)
      • AudioEndPointTool.exe (PID: 5404)
      • AudioEndPointTool.exe (PID: 6272)
      • voicemodcon.exe (PID: 5800)
      • AudioEndPointTool.exe (PID: 4892)
      • AudioEndPointTool.exe (PID: 2504)
      • AudioEndPointTool.exe (PID: 5344)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7824)
      • AudioEndPointTool.exe (PID: 7512)
      • AudioEndPointTool.exe (PID: 7892)
      • AudioEndPointTool.exe (PID: 7884)
      • AudioEndPointTool.exe (PID: 5384)
      • AudioEndPointTool.exe (PID: 8080)
      • AudioEndPointTool.exe (PID: 6252)
      • AudioEndPointTool.exe (PID: 7960)
      • curl.exe (PID: 968)
      • curl.exe (PID: 664)
      • avx-checker.exe (PID: 2268)
      • curl.exe (PID: 6828)
      • curl.exe (PID: 5984)
      • curl.exe (PID: 6760)
      • curl.exe (PID: 6988)
      • curl.exe (PID: 7628)
      • curl.exe (PID: 7236)
      • Voicemod.exe (PID: 6740)
      • crashpad_handler.exe (PID: 2644)
      • curl.exe (PID: 5576)
      • curl.exe (PID: 5640)

    • Create files in a temporary directory

      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7452)
      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7672)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • curl.exe (PID: 7964)
      • curl.exe (PID: 7212)
      • curl.exe (PID: 4268)
      • curl.exe (PID: 6324)
      • curl.exe (PID: 7580)
      • curl.exe (PID: 6148)
      • curl.exe (PID: 7848)
      • curl.exe (PID: 2420)
      • curl.exe (PID: 8024)
      • AudioEndPointTool.exe (PID: 5404)
      • AudioEndPointTool.exe (PID: 6272)
      • voicemodcon.exe (PID: 5800)
      • AudioEndPointTool.exe (PID: 4892)
      • AudioEndPointTool.exe (PID: 2504)
      • AudioEndPointTool.exe (PID: 5344)
      • voicemodcon.exe (PID: 5008)
      • AudioEndPointTool.exe (PID: 7512)
      • AudioEndPointTool.exe (PID: 7892)
      • AudioEndPointTool.exe (PID: 5384)
      • AudioEndPointTool.exe (PID: 6252)
      • AudioEndPointTool.exe (PID: 8080)
      • AudioEndPointTool.exe (PID: 7960)
      • AudioEndPointTool.exe (PID: 7884)
      • curl.exe (PID: 968)
      • curl.exe (PID: 5984)
      • curl.exe (PID: 6760)
      • curl.exe (PID: 7628)
      • Voicemod.exe (PID: 6740)
      • crashpad_handler.exe (PID: 2644)
      • curl.exe (PID: 5640)

    • Process checks computer location settings

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)

    • Detects InnoSetup installer (YARA)

      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7452)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)
      • VoicemodInstaller_1.4.3-5s03ml.exe (PID: 7672)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • The sample compiled with russian language support

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Compiled with Borland Delphi (YARA)

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7476)

    • Creates files in the program directory

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • SaveDefaultDevices.exe (PID: 8164)
      • cmd.exe (PID: 680)

    • The sample compiled with english language support

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7824)
      • drvinst.exe (PID: 7020)

    • Creates files or folders in the user directory

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • Voicemod.exe (PID: 6740)

    • Creates a software uninstall entry

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Reads the machine GUID from the registry

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)
      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7020)
      • Voicemod.exe (PID: 6740)

    • Execution of CURL command

      • VoicemodInstaller_1.4.3-5s03ml.tmp (PID: 7708)

    • Reads the software policy settings

      • voicemodcon.exe (PID: 5008)
      • drvinst.exe (PID: 7020)
      • Voicemod.exe (PID: 6740)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7616)
      • WMIC.exe (PID: 1228)
      • WMIC.exe (PID: 4336)

    • Checks proxy server information

      • Voicemod.exe (PID: 6740)

    • Reads Environment values

      • Voicemod.exe (PID: 6740)

    • Reads CPU info

      • Voicemod.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:17 06:07:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 156160
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Voicemod Inc., Sucursal en España
FileDescription: Voicemod Setup
FileVersion:
LegalCopyright: © 2025 Voicemod Inc., Sucursal en España - Version 1.4.3
OriginalFileName:
ProductName: Voicemod
ProductVersion: 1.4.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
268
Monitored processes
136
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start voicemodinstaller_1.4.3-5s03ml.exe voicemodinstaller_1.4.3-5s03ml.tmp no specs voicemodinstaller_1.4.3-5s03ml.exe voicemodinstaller_1.4.3-5s03ml.tmp curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs savedefaultdevices.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs cmd.exe no specs audioendpointtool.exe no specs cmd.exe no specs voicemodcon.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs voicemodcon.exe drvinst.exe drvinst.exe audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs avx-checker.exe no specs conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs voicemod.exe crashpad_handler.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
496"C:\WINDOWS\system32\cmd.exe" /C ""C:\Program Files\Voicemod V3\driver\setupDrv.bat""C:\Windows\System32\cmd.exeVoicemodInstaller_1.4.3-5s03ml.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
664"C:\WINDOWS\system32\curl.exe" -u us1-d2410d079164564abc5e06843fc67fdb:516itzpaBAGHuMlgh2A6VuTvFKGulyir1mi3OY6kBDLS4XbBnxXtLYe5ngsL2uNv -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\"},\"mp_deviceid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\",\"events\": [{\"data\": {\"event_name\": \"V3 Temp Installer Disabling Driver Failed\" , \"custom_attributes\": { \"version\": \"1.4.3\", \"app_version\": \"1.4.3\", \"machine_guid\": \"bb926e54-e3ca-40fd-ae90-2764341e7792\", \"country\": \"United States\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v3-installer-windows\",\"operating_system\": \"Windows\",\"operating_system_version\": \"10 (10.0.19045)\",\"cpu_architecture\": \"x86_64\", \"download_id\": \"5s03ml\",\"error_code\": \"0,-1\",\"cpu_name\": \"Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\", \"memory_size\": \"3 GB\", \"antivirus_name\": \"Windows Defender\", \"audio_devices\": \"[\\\"Realtek AC'97 Audio\\\",\\\"Voicemod Virtual Audio Device (WDM)\\\"]\" }},\"event_type\": \"custom_event\"}],\"ip\": \"212.30.37.95\",\"environment\": \"production\"}"C:\Windows\System32\curl.exe
VoicemodInstaller_1.4.3-5s03ml.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
680"C:\WINDOWS\System32\cmd.exe" /C "C:\Program Files\Voicemod V3\driver\setupDrvAdmin.bat" C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
732C:\WINDOWS\system32\cmd.exe /c wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get displayName /value | findstr /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
VoicemodInstaller_1.4.3-5s03ml.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1040driverquery /V /FO LIST C:\Windows\System32\driverquery.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Queries the drivers on a system
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\driverquery.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 761
Read events
38 107
Write events
647
Delete events
7

Modification events

(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:DownloadId
Value:
5s03ml
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Voicemod V3
Operation:writeName:TermsAcceptedDate
Value:
2025/05/17
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:VoicemodV3
Value:
"C:\Program Files\Voicemod V3\Voicemod.exe" --boot
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:InstallPath
Value:
C:\Program Files\Voicemod V3
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:Language
Value:
zhTW
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\voicemod
Operation:writeName:URL Protocol
Value:
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Voicemod V3
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Voicemod V3\
(PID) Process:(7708) VoicemodInstaller_1.4.3-5s03ml.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Voicemod V3
Executable files
43
Suspicious files
22
Text files
48
Unknown types
6

Dropped files

PID
Process
Filename
Type
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7452VoicemodInstaller_1.4.3-5s03ml.exeC:\Users\admin\AppData\Local\Temp\is-TLRPL.tmp\VoicemodInstaller_1.4.3-5s03ml.tmpexecutable
MD5:A8325DF1846899C7A2A16552B14ECAB3
SHA256:0C8A92E6C64B13FDD16E7122D43449AE969FD10BD88301660097EA2FBA3E41D7
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
7964curl.exeC:\Users\admin\AppData\Local\Temp\ipaddress.infobinary
MD5:0C53E331246FEE8A36CA27054DB66A01
SHA256:64F14F3E6279254359E70077590268527497AA3748928C2497F4A26A44425737
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\mvvad.inftext
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\bg-top.pngimage
MD5:220FE6E00519A633D9AD7D1D50ADC4C7
SHA256:BDC753B2B19EE8B573B8E676F18DAE42494B99B6BD738194DCDD67F244085F36
8124cmd.exeC:\Users\admin\AppData\Local\Temp\tasklist_unins000.exe.txttext
MD5:5018D8EB9D854E99FE54EBDC01FC0450
SHA256:D3DB4A5E933771F9D36C59B8F2B31B97B5CAA6A1900FC9B396BA66E278E56B90
7672VoicemodInstaller_1.4.3-5s03ml.exeC:\Users\admin\AppData\Local\Temp\is-VFISS.tmp\VoicemodInstaller_1.4.3-5s03ml.tmpexecutable
MD5:A8325DF1846899C7A2A16552B14ECAB3
SHA256:0C8A92E6C64B13FDD16E7122D43449AE969FD10BD88301660097EA2FBA3E41D7
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\bg-inner.pngimage
MD5:A034EEAF19BB82B2AE63F4FA10C26476
SHA256:8FE4A3F95D5309E692C4142F460BEBE4E4E24844F5A2071D466BD964C5D04DCF
7708VoicemodInstaller_1.4.3-5s03ml.tmpC:\Users\admin\AppData\Local\Temp\is-9G3JH.tmp\buttons.pngimage
MD5:87CC673665996A85A404BEB1C8466AEE
SHA256:D236F88EF90E6D0E259A586F4E613B14D4A35F3A704FF559DADDA31341E99C24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
63
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
756
lsass.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
756
lsass.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
whitelisted
756
lsass.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
unknown
whitelisted
7788
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6740
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6740
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6740
Voicemod.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAqxhAf2g9u2A58lPbW3Yfw%3D
unknown
whitelisted
756
lsass.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQC5WUWZ6L4kTw%3D%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7964
curl.exe
35.205.157.23:443
api.voicemod.net
GOOGLE-CLOUD-PLATFORM
BE
whitelisted
756
lsass.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.141
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.169
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.194
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
api.voicemod.net
  • 35.205.157.23
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r10.o.lencr.org
  • 184.24.77.56
  • 184.24.77.65
whitelisted
s2s.mparticle.com
  • 54.83.85.242
  • 34.204.155.45
  • 34.232.237.210
  • 13.217.127.55
  • 52.207.104.102
  • 54.89.241.196
  • 50.16.55.230
  • 3.95.43.211
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VoicemodInstaller_1.4.3-5s03ml.exe