File name:

66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe

Full analysis: https://app.any.run/tasks/7449243c-0d69-4390-a799-877052d0bf0f
Verdict: Malicious activity
Analysis date: June 21, 2025, 15:20:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

2F99913925990BCF055A14A34EE24B8E

SHA1:

D6E9CBB8A50E299CE03D9B8FA4BF303BAC3BC691

SHA256:

66A14AE579396FC85F3BD72B021BC802D9E0FF9A68810F6F0E6EDEDEB67274C9

SSDEEP:

98304:/bUgdqZ3FWMo0iHNEGRltHg5YZz/6Pf8FMdJDxDBwcMSdObOS/Hro1e4Kv+BG/6D:CcrsmQai

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5528)

    • Changes the autorun value in the registry

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)
      • Voicemod.exe (PID: 1896)
      • voicemodcon.exe (PID: 6520)
      • Voicemod.exe (PID: 3836)

    • Get information on the list of running processes

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • cmd.exe (PID: 3836)

    • Starts CMD.EXE for commands execution

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 4760)
      • powershell.exe (PID: 5528)

    • Executable content was dropped or overwritten

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 5616)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 424)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 6104)
      • drvinst.exe (PID: 3872)

    • Reads the Windows owner or organization settings

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • There is functionality for taking screenshot (YARA)

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • Voicemod.exe (PID: 1896)

    • Drops a system driver (possible attempt to evade defenses)

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 3872)
      • drvinst.exe (PID: 6104)

    • Executing commands from a ".bat" file

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • powershell.exe (PID: 5528)

    • Application launched itself

      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 4760)

    • Starts process via Powershell

      • powershell.exe (PID: 5528)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5716)
      • cmd.exe (PID: 3588)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6104)
      • drvinst.exe (PID: 3872)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 3872)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 6748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6748)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 5372)
      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 6776)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 5372)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6776)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6936)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 4960)
      • cmd.exe (PID: 6140)
      • cmd.exe (PID: 3732)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 5372)

  • INFO

    • Checks supported languages

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 5616)
      • curl.exe (PID: 4984)
      • curl.exe (PID: 2188)
      • curl.exe (PID: 4196)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)
      • curl.exe (PID: 4644)
      • curl.exe (PID: 5924)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 424)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • curl.exe (PID: 6940)
      • curl.exe (PID: 3800)
      • curl.exe (PID: 2664)
      • curl.exe (PID: 5600)
      • curl.exe (PID: 5008)
      • curl.exe (PID: 1496)
      • curl.exe (PID: 6232)
      • curl.exe (PID: 6776)
      • curl.exe (PID: 3636)
      • curl.exe (PID: 2716)
      • curl.exe (PID: 6292)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 1216)
      • crashpad_handler.exe (PID: 6256)
      • AudioEndPointTool.exe (PID: 6700)
      • SaveDefaultDevices.exe (PID: 6424)
      • voicemodcon.exe (PID: 6212)
      • AudioEndPointTool.exe (PID: 6512)
      • Voicemod.exe (PID: 1896)
      • AudioEndPointTool.exe (PID: 5172)
      • AudioEndPointTool.exe (PID: 1232)
      • AudioEndPointTool.exe (PID: 1356)
      • drvinst.exe (PID: 6104)
      • voicemodcon.exe (PID: 6520)
      • AudioEndPointTool.exe (PID: 4836)
      • AudioEndPointTool.exe (PID: 6424)
      • drvinst.exe (PID: 3872)
      • AudioEndPointTool.exe (PID: 6812)
      • AudioEndPointTool.exe (PID: 1180)
      • AudioEndPointTool.exe (PID: 4680)
      • AudioEndPointTool.exe (PID: 4080)
      • AudioEndPointTool.exe (PID: 3636)
      • curl.exe (PID: 4104)
      • curl.exe (PID: 6220)
      • curl.exe (PID: 3748)
      • curl.exe (PID: 2680)
      • curl.exe (PID: 5372)
      • curl.exe (PID: 3768)
      • avx-checker.exe (PID: 5232)
      • curl.exe (PID: 7080)
      • Voicemod.exe (PID: 3836)
      • curl.exe (PID: 4832)
      • crashpad_handler.exe (PID: 6336)
      • curl.exe (PID: 4380)
      • curl.exe (PID: 2976)

    • Reads the computer name

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)
      • curl.exe (PID: 4984)
      • curl.exe (PID: 2188)
      • curl.exe (PID: 4196)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • curl.exe (PID: 6940)
      • curl.exe (PID: 4644)
      • curl.exe (PID: 2716)
      • curl.exe (PID: 5924)
      • curl.exe (PID: 3396)
      • curl.exe (PID: 6292)
      • curl.exe (PID: 5008)
      • curl.exe (PID: 5600)
      • curl.exe (PID: 1496)
      • curl.exe (PID: 6232)
      • curl.exe (PID: 3800)
      • curl.exe (PID: 6776)
      • curl.exe (PID: 3636)
      • curl.exe (PID: 2664)
      • curl.exe (PID: 1216)
      • Voicemod.exe (PID: 1896)
      • SaveDefaultDevices.exe (PID: 6424)
      • AudioEndPointTool.exe (PID: 6512)
      • AudioEndPointTool.exe (PID: 1356)
      • AudioEndPointTool.exe (PID: 5172)
      • AudioEndPointTool.exe (PID: 6700)
      • AudioEndPointTool.exe (PID: 1232)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 3872)
      • drvinst.exe (PID: 6104)
      • AudioEndPointTool.exe (PID: 6812)
      • AudioEndPointTool.exe (PID: 4836)
      • AudioEndPointTool.exe (PID: 4080)
      • AudioEndPointTool.exe (PID: 6424)
      • AudioEndPointTool.exe (PID: 4680)
      • AudioEndPointTool.exe (PID: 1180)
      • AudioEndPointTool.exe (PID: 3636)
      • curl.exe (PID: 2976)
      • curl.exe (PID: 3748)
      • curl.exe (PID: 6220)
      • curl.exe (PID: 5372)
      • curl.exe (PID: 2680)
      • curl.exe (PID: 3768)
      • curl.exe (PID: 7080)
      • curl.exe (PID: 4832)
      • Voicemod.exe (PID: 3836)
      • curl.exe (PID: 4380)
      • curl.exe (PID: 4104)

    • Create files in a temporary directory

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 424)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 5616)
      • Voicemod.exe (PID: 1896)
      • crashpad_handler.exe (PID: 6256)
      • AudioEndPointTool.exe (PID: 6700)
      • AudioEndPointTool.exe (PID: 6512)
      • AudioEndPointTool.exe (PID: 1356)
      • AudioEndPointTool.exe (PID: 1232)
      • voicemodcon.exe (PID: 6212)
      • AudioEndPointTool.exe (PID: 5172)
      • voicemodcon.exe (PID: 6520)
      • AudioEndPointTool.exe (PID: 4836)
      • AudioEndPointTool.exe (PID: 6812)
      • AudioEndPointTool.exe (PID: 6424)
      • AudioEndPointTool.exe (PID: 1180)
      • AudioEndPointTool.exe (PID: 4080)
      • AudioEndPointTool.exe (PID: 3636)
      • Voicemod.exe (PID: 3836)
      • AudioEndPointTool.exe (PID: 4680)

    • Process checks computer location settings

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)

    • The sample compiled with russian language support

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • Detects InnoSetup installer (YARA)

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 5616)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe (PID: 424)

    • Compiled with Borland Delphi (YARA)

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 1944)
      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • Reads the machine GUID from the registry

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • Voicemod.exe (PID: 1896)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 6104)
      • Voicemod.exe (PID: 3836)

    • Execution of CURL command

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • Creates a software uninstall entry

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • The sample compiled with english language support

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 6104)
      • drvinst.exe (PID: 3872)

    • Creates files in the program directory

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)
      • SaveDefaultDevices.exe (PID: 6424)
      • cmd.exe (PID: 5552)

    • Manual execution by a user

      • Voicemod.exe (PID: 1896)

    • Checks proxy server information

      • Voicemod.exe (PID: 1896)
      • Voicemod.exe (PID: 3836)
      • slui.exe (PID: 3480)

    • Launching a file from a Registry key

      • 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp (PID: 2348)

    • Reads the software policy settings

      • Voicemod.exe (PID: 1896)
      • voicemodcon.exe (PID: 6520)
      • drvinst.exe (PID: 6104)
      • Voicemod.exe (PID: 3836)
      • slui.exe (PID: 3480)

    • Creates files or folders in the user directory

      • Voicemod.exe (PID: 1896)

    • Reads Environment values

      • Voicemod.exe (PID: 1896)
      • Voicemod.exe (PID: 3836)

    • Reads CPU info

      • Voicemod.exe (PID: 1896)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4884)
      • WMIC.exe (PID: 1232)
      • WMIC.exe (PID: 4868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:17 06:07:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 156160
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Voicemod Inc., Sucursal en España
FileDescription: Voicemod Setup
FileVersion:
LegalCopyright: © 2025 Voicemod Inc., Sucursal en España - Version 1.4.8
OriginalFileName:
ProductName: Voicemod
ProductVersion: 1.4.8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
139
Malicious processes
4
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9voicemodinstaller_1.4.8-i68s70.exe 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9voicemodinstaller_1.4.8-i68s70.tmp no specs 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9voicemodinstaller_1.4.8-i68s70.exe 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9voicemodinstaller_1.4.8-i68s70.tmp curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs savedefaultdevices.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs voicemod.exe crashpad_handler.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs cmd.exe no specs audioendpointtool.exe no specs cmd.exe no specs voicemodcon.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs voicemodcon.exe drvinst.exe drvinst.exe audioendpointtool.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs audioendpointtool.exe no specs audioendpointtool.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs avx-checker.exe no specs conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs slui.exe voicemod.exe crashpad_handler.exe no specs curl.exe conhost.exe no specs curl.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416netsh advfirewall firewall add rule name="Voicemod" dir=out action=allow program="C:\Users\admin\AppData\Local\VoicemodV3\app\last\Voicemod.exe"C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
424"C:\Users\admin\Desktop\66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe" /SPAWNWND=$40252 /NOTIFYWND=$60282 C:\Users\admin\Desktop\66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe
66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp
User:
admin
Company:
Voicemod Inc., Sucursal en España
Integrity Level:
HIGH
Description:
Voicemod Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9voicemodinstaller_1.4.8-i68s70.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128netsh advfirewall firewall add rule name="Voicemod" dir=in action=allow program="C:\Program Files\Voicemod V3\Voicemod.exe"C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1180AudioEndPointTool.exe get --name Voicemod --flow Render --format Raw --fields IDC:\Program Files\Voicemod V3\driver\AudioEndPointTool.execmd.exe
User:
admin
Company:
Voicemod Inc.
Integrity Level:
HIGH
Description:
Voicemod tools
Exit code:
0
Modules
Images
c:\program files\voicemod v3\driver\audioendpointtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1216"C:\WINDOWS\system32\curl.exe" https://api.voicemod.net/ip -H "Content-Type: application/json" -o "C:\Users\admin\AppData\Local\Temp\\ipaddress.info"C:\Windows\System32\curl.exe
66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmp
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
35
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232AudioEndPointTool.exe get --default --flow=Capture --role=Console --format=Raw --fields=ID C:\Program Files\Voicemod V3\driver\AudioEndPointTool.execmd.exe
User:
admin
Company:
Voicemod Inc.
Integrity Level:
HIGH
Description:
Voicemod tools
Exit code:
0
Modules
Images
c:\program files\voicemod v3\driver\audioendpointtool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
Total events
43 506
Read events
42 852
Write events
647
Delete events
7

Modification events

(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:DownloadId
Value:
i68s70
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Voicemod V3
Operation:writeName:TermsAcceptedDate
Value:
2025/06/21
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:VoicemodV3
Value:
"C:\Program Files\Voicemod V3\Voicemod.exe" --boot
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:InstallPath
Value:
C:\Program Files\Voicemod V3
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Voicemod\Voicemod V3
Operation:writeName:Language
Value:
en
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\voicemod
Operation:writeName:URL Protocol
Value:
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Voicemod V3
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Voicemod V3\
(PID) Process:(2348) 66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE519A29-8B15-47C4-BCD6-A513277DC26F}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Voicemod V3
Executable files
43
Suspicious files
28
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
561666a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exeC:\Users\admin\AppData\Local\Temp\is-3IPR4.tmp\66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpexecutable
MD5:9D81EAFEC164832D9C47431A5196BD46
SHA256:9B595FB636111EE1F84BF798998A8DE29C7DE6F2EC491D37278C663150189A3E
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Program Files\Voicemod V3\is-I8QS0.tmpexecutable
MD5:9D81EAFEC164832D9C47431A5196BD46
SHA256:9B595FB636111EE1F84BF798998A8DE29C7DE6F2EC491D37278C663150189A3E
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Users\admin\AppData\Local\Temp\is-0O837.tmp\bg-bottom.pngimage
MD5:3ADA9688E90538E60978FB6EE09041FE
SHA256:FF17916663AF2E4B08DEF48861EB38E8CD2AB4E4317E64DDAB205803C9BDFAD8
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Users\admin\AppData\Local\Temp\is-0O837.tmp\bg-top.pngimage
MD5:220FE6E00519A633D9AD7D1D50ADC4C7
SHA256:BDC753B2B19EE8B573B8E676F18DAE42494B99B6BD738194DCDD67F244085F36
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Program Files\Voicemod V3\driver\mvvad.catbinary
MD5:EF5A41F3D1570201C78C08B0112E175F
SHA256:F1A44FF4D1D73952A68547E697A3B9AB3E48809B53F1B1A199DE5103B7C49AA7
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Program Files\Voicemod V3\driver\is-0DDEM.tmptext
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
3836cmd.exeC:\Users\admin\AppData\Local\Temp\tasklist_unins000.exe.txttext
MD5:0A3D8F8FCDEB58A6C9BC8228A970C28D
SHA256:D4C9AD9F84309CADFB4934F04C9D5DE1F7C125A52CEBB68C7D657FBD1F844E20
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Users\admin\AppData\Local\Temp\is-0O837.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Program Files\Voicemod V3\driver\is-7FR30.tmptext
MD5:F3737DFDA446BD671EC2F44DDBB201B3
SHA256:45D002D328746C4AD9BF49BCC0CCA40D47B217A9083E042FC8C8268BE2E32A0D
234866a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.tmpC:\Program Files\Voicemod V3\driver\mvvad.inftext
MD5:4BE77F8AFECFC2B935017E2B6C231E0F
SHA256:F89D88D74C7EFECBAFB48F88511E9ADF56856A45571CB66D77DE5494D0A19627
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
89
DNS requests
25
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4156
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1472
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1472
SIHClient.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4156
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.39:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.39:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
184.24.77.39:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.39
  • 184.24.77.37
  • 184.24.77.9
  • 184.24.77.12
  • 184.24.77.11
  • 184.24.77.10
  • 184.24.77.35
  • 184.24.77.14
  • 184.24.77.6
  • 184.24.77.38
  • 184.24.77.7
  • 184.24.77.24
  • 184.24.77.23
  • 184.24.77.22
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.2
  • 40.126.31.131
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.2
whitelisted
api.voicemod.net
  • 35.205.157.23
whitelisted
s2s.mparticle.com
  • 54.82.149.107
  • 98.82.252.39
  • 44.206.75.123
  • 35.170.131.127
  • 52.6.30.55
  • 35.153.96.133
  • 18.210.34.90
  • 18.235.207.234
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
Process
Message
Voicemod.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
66a14ae579396fc85f3bd72b021bc802d9e0ff9a68810f6f0e6ededeb67274c9VoicemodInstaller_1.4.8-i68s70.exe