e308630fce1981ea146389004c428b4c2b2ea344cf707ddb32967846dfa56fa4

Analysis

max time kernel
59s
max time network
111s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

voicemod pro 1.2.2.7 crack.exe.7z
Size

9.0MB
MD5

9c0dae31629226d0e1563d88b03d80aa
SHA1

d3d802b9489132439d124a455f6b4533549b841a
SHA256

e308630fce1981ea146389004c428b4c2b2ea344cf707ddb32967846dfa56fa4
SHA512

4dad21814287cc05b7073e6f8a3bb961beccb4d9c1a8808c3a687711fe119f143c48ea0b29a6d56617ed9d5d18bd329288017c220aeb9d0e2925bb60c5486b31
SSDEEP

196608:DI+/zfWO2XydJF9PdReulC/CYpUTzJI/0KEn75:smzfOuJF9PdwuldY6tcS1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
1772	voicemod pro 1.2.2.7 crack.exe
2504	voicemod pro 1.2.2.7 crack.exe
1740	voicemod pro 1.2.2.7 crack.exe
1656	voicemod pro 1.2.2.7 crack.exe
1560	According.com
1884	According.com
2396	voicemod pro 1.2.2.7 crack.exe
2688	voicemod pro 1.2.2.7 crack.exe
2124	According.com
328	voicemod pro 1.2.2.7 crack.exe
1764	voicemod pro 1.2.2.7 crack.exe
2288	voicemod pro 1.2.2.7 crack.exe
1808	voicemod pro 1.2.2.7 crack.exe

Loads dropped DLL 3 IoCs

pid	Process
1724	cmd.exe
3040	cmd.exe
780	cmd.exe

Enumerates processes with tasklist 1 TTPs 30 IoCs

discovery

Process Discovery

T1057

pid	Process
2360	tasklist.exe
2132	tasklist.exe
1912	tasklist.exe
2216	tasklist.exe
768	tasklist.exe
1316	tasklist.exe
1448	tasklist.exe
2700	tasklist.exe
2356	tasklist.exe
1792	tasklist.exe
3056	tasklist.exe
1600	tasklist.exe
1732	tasklist.exe
2972	tasklist.exe
2588	tasklist.exe
580	tasklist.exe
3060	tasklist.exe
2804	tasklist.exe
2876	tasklist.exe
1648	tasklist.exe
2520	tasklist.exe
2872	tasklist.exe
1992	tasklist.exe
332	tasklist.exe
2248	tasklist.exe
1964	tasklist.exe
1636	tasklist.exe
1244	tasklist.exe
2868	tasklist.exe
1132	tasklist.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe
File opened for modification	C:\Windows\ColoradoAppointment	voicemod pro 1.2.2.7 crack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
680	1884	WerFault.exe	68
2164	1560	WerFault.exe	55
1528	2124	WerFault.exe	85
2260	1996	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	According.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	According.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	According.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicemod pro 1.2.2.7 crack.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1560	According.com
1560	According.com
1560	According.com
1884	According.com
1884	According.com
1884	According.com
2124	According.com
2124	According.com
2124	According.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	2596	7zFM.exe
Token: 35	2596	7zFM.exe
Token: SeSecurityPrivilege	2596	7zFM.exe
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	2876	tasklist.exe
Token: SeDebugPrivilege	3056	tasklist.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2596	7zFM.exe
2596	7zFM.exe
1560	According.com
1560	According.com
1560	According.com
1884	According.com
1884	According.com
1884	According.com
2124	According.com
2124	According.com
2124	According.com

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1560	According.com
1560	According.com
1560	According.com
1884	According.com
1884	According.com
1884	According.com
2124	According.com
2124	According.com
2124	According.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1724	1772	voicemod pro 1.2.2.7 crack.exe	33
PID 1772 wrote to memory of 1724	1772	voicemod pro 1.2.2.7 crack.exe	33
PID 1772 wrote to memory of 1724	1772	voicemod pro 1.2.2.7 crack.exe	33
PID 1772 wrote to memory of 1724	1772	voicemod pro 1.2.2.7 crack.exe	33
PID 1724 wrote to memory of 2752	1724	cmd.exe	35
PID 1724 wrote to memory of 2752	1724	cmd.exe	35
PID 1724 wrote to memory of 2752	1724	cmd.exe	35
PID 1724 wrote to memory of 2752	1724	cmd.exe	35
PID 2504 wrote to memory of 3040	2504	voicemod pro 1.2.2.7 crack.exe	37
PID 2504 wrote to memory of 3040	2504	voicemod pro 1.2.2.7 crack.exe	37
PID 2504 wrote to memory of 3040	2504	voicemod pro 1.2.2.7 crack.exe	37
PID 2504 wrote to memory of 3040	2504	voicemod pro 1.2.2.7 crack.exe	37
PID 3040 wrote to memory of 2964	3040	cmd.exe	39
PID 3040 wrote to memory of 2964	3040	cmd.exe	39
PID 3040 wrote to memory of 2964	3040	cmd.exe	39
PID 3040 wrote to memory of 2964	3040	cmd.exe	39
PID 1724 wrote to memory of 2356	1724	cmd.exe	40
PID 1724 wrote to memory of 2356	1724	cmd.exe	40
PID 1724 wrote to memory of 2356	1724	cmd.exe	40
PID 1724 wrote to memory of 2356	1724	cmd.exe	40
PID 1724 wrote to memory of 1696	1724	cmd.exe	41
PID 1724 wrote to memory of 1696	1724	cmd.exe	41
PID 1724 wrote to memory of 1696	1724	cmd.exe	41
PID 1724 wrote to memory of 1696	1724	cmd.exe	41
PID 1724 wrote to memory of 2132	1724	cmd.exe	44
PID 1724 wrote to memory of 2132	1724	cmd.exe	44
PID 1724 wrote to memory of 2132	1724	cmd.exe	44
PID 1724 wrote to memory of 2132	1724	cmd.exe	44
PID 1724 wrote to memory of 2972	1724	cmd.exe	45
PID 1724 wrote to memory of 2972	1724	cmd.exe	45
PID 1724 wrote to memory of 2972	1724	cmd.exe	45
PID 1724 wrote to memory of 2972	1724	cmd.exe	45
PID 1740 wrote to memory of 3068	1740	voicemod pro 1.2.2.7 crack.exe	46
PID 1740 wrote to memory of 3068	1740	voicemod pro 1.2.2.7 crack.exe	46
PID 1740 wrote to memory of 3068	1740	voicemod pro 1.2.2.7 crack.exe	46
PID 1740 wrote to memory of 3068	1740	voicemod pro 1.2.2.7 crack.exe	46
PID 3068 wrote to memory of 3008	3068	cmd.exe	48
PID 3068 wrote to memory of 3008	3068	cmd.exe	48
PID 3068 wrote to memory of 3008	3068	cmd.exe	48
PID 3068 wrote to memory of 3008	3068	cmd.exe	48
PID 1724 wrote to memory of 2720	1724	cmd.exe	49
PID 1724 wrote to memory of 2720	1724	cmd.exe	49
PID 1724 wrote to memory of 2720	1724	cmd.exe	49
PID 1724 wrote to memory of 2720	1724	cmd.exe	49
PID 1724 wrote to memory of 2080	1724	cmd.exe	50
PID 1724 wrote to memory of 2080	1724	cmd.exe	50
PID 1724 wrote to memory of 2080	1724	cmd.exe	50
PID 1724 wrote to memory of 2080	1724	cmd.exe	50
PID 1724 wrote to memory of 1132	1724	cmd.exe	51
PID 1724 wrote to memory of 1132	1724	cmd.exe	51
PID 1724 wrote to memory of 1132	1724	cmd.exe	51
PID 1724 wrote to memory of 1132	1724	cmd.exe	51
PID 1724 wrote to memory of 2312	1724	cmd.exe	52
PID 1724 wrote to memory of 2312	1724	cmd.exe	52
PID 1724 wrote to memory of 2312	1724	cmd.exe	52
PID 1724 wrote to memory of 2312	1724	cmd.exe	52
PID 1724 wrote to memory of 972	1724	cmd.exe	53
PID 1724 wrote to memory of 972	1724	cmd.exe	53
PID 1724 wrote to memory of 972	1724	cmd.exe	53
PID 1724 wrote to memory of 972	1724	cmd.exe	53
PID 1724 wrote to memory of 1560	1724	cmd.exe	55
PID 1724 wrote to memory of 1560	1724	cmd.exe	55
PID 1724 wrote to memory of 1560	1724	cmd.exe	55
PID 1724 wrote to memory of 1560	1724	cmd.exe	55

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\voicemod pro 1.2.2.7 crack.exe.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2596

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Harvard" Bright
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1236
      4⤵
      Program crash
      PID:2164
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1280
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1224
      4⤵
      Program crash
      PID:680
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:780
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1180
      4⤵
      Program crash
      PID:1528
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1964
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:304
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1188
      4⤵
      Program crash
      PID:2260
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:1284

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:580
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:304

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:768
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:856
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3060
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:3060

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1992
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1316
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:992
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:2712

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1600
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2360
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:1732

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1732
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1244
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:2176

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2804
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:956
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:2496

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:696
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1648
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2972
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 34412
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nerve.xll
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 34412\According.com + Word + Henry + Society + Urge + Sanyo + Consultancy + Marc + Pod + Despite 34412\According.com
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Aerial.xll + ..\Lending.xll + ..\Passengers.xll + ..\Centers.xll + ..\Choose.xll + ..\Fe.xll + ..\Squirting.xll + ..\Thompson.xll O
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\34412\According.com
    According.com O
    3⤵
    PID:932
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:3068

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:332
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1132
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2124

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2868
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2248
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1916

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1448
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2588
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1288

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1888

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2520
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:2816

C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe
"C:\Users\Admin\Desktop\voicemod pro 1.2.2.7 crack.exe"
1⤵
PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Casino.xll Casino.xll.bat & Casino.xll.bat
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\expand.exe
    expand Casino.xll Casino.xll.bat
    3⤵
    PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\34412\According.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\34412\O

Filesize
539KB

MD5
0c70ef1008904d708de0599eed62e40a

SHA1
7f748f37ebf0081b310fb5828fcf57736866567f

SHA256
76c205eea69754a54555f5b19354a2da7779e1e3a24dbf48828df39f04cdf025

SHA512
f16a7a00987c4225ed5543bc4b839885e85180fa61018a28774419d189081d33248025a9fc48695e44db5d05f47654f84d0883ea3142235c8568c381f822ccec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aerial.xll

Filesize
73KB

MD5
b6da650f3bc32b10fb12ff276f4db180

SHA1
d31b15de677ca6818295cbfad36e2bda00f7cbf8

SHA256
0d26df1e6c82c1ab668452e108421f89f5d6a07e2efceb3560dbb767af86babc

SHA512
d886df5daa26acb5a32613c40c9ca8f233496b116ef89ba696aed8283eb302d68dc6a356f2b76bc30067482598e651e59f87297b165ca2cc99afa14987b1ba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bright

Filesize
753B

MD5
6f60adf9e58af8dbca1cfdbf5301273a

SHA1
19a5863a6541c6dbb061acefcadb829006dac879

SHA256
19106f4c3e35327ad2a3e65682c9429e52665a9b0de2e97b9e755a76edc51431

SHA512
a0e480e7798bcb2dca8b53506d91c15a52fb495345ddb9641c6cdbea249c8b86ab417032dedcda12cab709fe7bd37bac970512e6ddc75bffb1a353467f6ef8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD1FF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Centers.xll

Filesize
67KB

MD5
e7cb29925acf3dd4bd5741c37cefd9bd

SHA1
c54c920fbb455ad3de8b77a0f8f90dd637c1faa8

SHA256
a38fd737f9bcafd188553dee4d35a0701ee7961b27e93e6fddd8cbcdfc4c49c3

SHA512
08677bbf8f0a87847881bff198a468e46578b07b18a6dd257d207f9790c358d2c0bb96a8e044227a5b247b7b1049b4f836b96323227753efd1a3e9c76e02172d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Choose.xll

Filesize
76KB

MD5
ea8246b5c5f8afd0c56bce96b67a38be

SHA1
88634ff2bef01cf2050fca049ac84d6d9a71960a

SHA256
db932284eb050653aa1c5ca43215d647297aa003a746598c10f3341a3c0e4517

SHA512
30f8ec51518595581456481f0710801db2f3bdd7f3e22af461d2b6d9733efdd28c67ae59099f114cc8cb512ce01dce39f1d24dbb175f474e5a9044c522bf8bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consultancy

Filesize
134KB

MD5
f3d8d8cb7a65c065e6607a143458d578

SHA1
b247f55f6ea2e56d138d202f3405362a7517ef69

SHA256
53ea6fa8d4cc588c47441c917380123b7194a3e6ce2e6a434331c5c438750ae6

SHA512
bb749076f0c172a9bf3152b8270cd503ed80761ea881bab3b704fc3a008d8abefd7583c7db2316b9d3a318b94e4e35d118e922e4504e2c312063a2e40d0f67ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Despite

Filesize
35KB

MD5
8a0143d77ea7d1938062373e6cad3817

SHA1
1bf693e8e39565a5b1f9178f342f1263b2742441

SHA256
6ffe1a7e36bee6976b9915be3b62445db198f027f049249f631baa5e2d581193

SHA512
29af76e8ec7e58b5660f085c69cccf45a5416137d7625407e6a02894a3010f1faebdc52c20ba56e9e1dd6795d39f6978b4c6ba7d924f74275e3187457f52efb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fe.xll

Filesize
86KB

MD5
210634d53ffb4443a5ca36ba0cbe5be7

SHA1
64e3a18c6fa33c669d7e2cb029ad9bb990a37a20

SHA256
c351fdbde77eefc8113e8b1949f5794c36b53bc722356fb778e5ded601be3cd6

SHA512
368b9e04aaa4f1e405dc943095984c98572e4c264f9af10cc6c59807c5872be8bced8fadd6e30ee5d44ee86ba58668a916a63b32e4a9a81d98c454defdcd72e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Henry

Filesize
142KB

MD5
5061a2126455f10ecd09827c7264c18d

SHA1
e0964bfa8f7cdf4f59e66f4d804eef12324f83da

SHA256
8591fe8627273f74806336e394e1441cd30cae17ed738d5482b4bd90809f9b09

SHA512
fa6f63b07e84abdb3f6ac04e6a8ec183efae88fe9786dcdcbd6466e0a055826dca75dd28fa348dae48354737ab6cd6d7062e4d89732aa2eb9bd7e4b3f373711c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lending.xll

Filesize
88KB

MD5
8552d9d2d3a09a2de2b45a117a6b85cb

SHA1
7a0414434d3c5b38f9864e2a57646315dc85fe46

SHA256
41073afa6b632bb797f0465a0bc4648bfa438f5da25c00332794e9eaa6d655a6

SHA512
4c942dd5b1f3e0c8ecae8f12e1a10a1c01f4435055d3e4953f7824ef05913ac9aeef96b98c640d0d085990bcf96011d0ca69b19d9339acbb2c5f5613ed63d1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Marc

Filesize
68KB

MD5
2dd80e06f9548088778a9a982039239f

SHA1
05b432d791605596d6b56d8073c2f9dec1962a87

SHA256
1f87c5321c8ee915e81905062ae80e9aeb3dcbac616ef13b58e8c09d4fb68f1f

SHA512
c08797783b1753110e40598aee9dfbfc3038ee0d76ccbd7fc15b41828ee1a750c45b7f722bf340c866124e63cd9f586a6ff85737eb7e1a6257b95124ac5ccac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nerve.xll

Filesize
63KB

MD5
3967b6bcc654d00985b2438dbe2bb1e4

SHA1
5d94d48a2d92458e54bf42d9e5041ccc43f25b19

SHA256
aead76ebfe8ed19f9c7fdf6bae1752ae8975342c39a06951169db70704df31c1

SHA512
06cf1b91e4b774f8e15f990863009a65ebf1721a81de94439f091297cebaf883cc9cc7a841e70e71a01214a5ab078e43148624f9b31ce02e8263659ef61886f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nerve.xll

Filesize
477KB

MD5
f6f5c335fb7e174757b306b1dc1ade16

SHA1
2def4e0d0f7dc714063eaa0985ac74401e593ae3

SHA256
0fdab57f7bd9f614bfd9e693574ac06f285b0240486d52ae3c80353382ef7a84

SHA512
69b86b724654af9e8ca49d8d0d0aa7fb077fd52b3994da29af2031fe3f6e1b076dc4f1a546cbcaabc855f8472703d5f5ba4daa2001164ee7c1608d4116e8a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passengers.xll

Filesize
59KB

MD5
efc624376c18e43e7507c2cb99f35f23

SHA1
60cd90b26e795e587010187e9ec8905e8c8def80

SHA256
5de1707c3b2518158a4df1d305f3a2c4c385d038be6bb103cfd3e68b3210868d

SHA512
65f5eba0adc9da4b3148272a47edfc3c35a6dd08d34696ad0ccb752006f7d26247811fbb94348e7d75f1b3e1bbbb76fbe3530c1510716b0a044b50bbe2069274

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passengers.xll

Filesize
47KB

MD5
c8a66626f18469aa5717b562a3591e54

SHA1
a82695bc4e7b49a120133e588287dd2c5009371a

SHA256
2f5c2cf27a0ec98b89ef139388adcf29ff716f143ef7dc9a064a7e7fe2942375

SHA512
3db490e56646171405c113d9fb4690ef8e78f4c26224e87fd646d9ae2ab2add6ff4e4f95bcd65acc4e8a0b91861d64ac600382ed5403e73033bbc89c1986357c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pod

Filesize
92KB

MD5
a922a49f4fd5407e910735200c7b3c7b

SHA1
4d3822b46ab6639674befde7294365cd53092a86

SHA256
038c480ea4d804ddd07473c9596c9d68766945d7ffc697047e66f7f7c6af11b6

SHA512
4e6407d4d7522a8ecb5d31d9673d0fce34a7e7415a6ab91980903f961f60ebb684d167ec2d93242b2572a3487bbd9deb4cf332fc29c92fe49209a1f414abd9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sanyo

Filesize
120KB

MD5
cb253551bb7c7520ecadfa0db06e5139

SHA1
6a0155f8596b6daf677e1cb4edce5cf3d62bec59

SHA256
a4d9d10dd4514b8e4575f9b8341c9a687309ef79137dd99dd40e00668046caf8

SHA512
1e1d86c2249429a76b42e440a8ab7ac84b1a31dcab6f40756fb19fe4700b9404ea6d973b33c3e16b980c4e1ceec7dcd63c66faa48fa4727f398a8d10af9f3f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Society

Filesize
133KB

MD5
b4d3ff457e285c8f973ebe85d45403ac

SHA1
b1c1241a8953020e169f3076f6fc2a4d83c27733

SHA256
f91a7700ceb66f309b3b47e55edeb5a025c6474d4e690ecf7a12b12433ffa123

SHA512
ade787790fcd548543c1e5ca0b618088ecf767b39f0fae3a4cf1ddcc82839aeb5141f68bd6f9043f98743efa9dcef8ca2e9b5579f5617b2f9fec372617e2c0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Squirting.xll

Filesize
82KB

MD5
d368c79b396d868de1c4b3d34316c7b5

SHA1
c0ed130c5285f38f10a61cf4062b1ec71d8fa541

SHA256
8281d1faed4bd4520b675939df525336fc5c04378d7c44a3159399a637fe7c4f

SHA512
569fcec2e9f58a53eb4b401bab5e87327bfe5e4fc6c537354dfd9634796145ffe68dc484a2b1cfe21f7e6b4cdc0aa255f496743cfff7b2c7d4ea520caf51d494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Squirting.xll

Filesize
15KB

MD5
dcc21dfc4877a37a64d4434ea450f6ce

SHA1
d5a007c8544f837023185f51e90d927a64810e77

SHA256
6a10b17dec0f4ef5b84e6c9c834c5af8e0ca17acab1f15507c6cfcf3452bf042

SHA512
f1fbe3292737b16464503ed5f13b7cfea59fac6c1a32645bf24e34896de08bb68e6d790b158e11cddc5b9531b075e89f4a469a03c62fc4fbe17732db32c28204

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD550.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thompson.xll

Filesize
8KB

MD5
8a09079839a59bb5f1765ef41e3559aa

SHA1
360795e1c849d0870eca931d3c752aa58eddad00

SHA256
614292a48a7a4bf4b2978daccc018bfddca28e7d8c0357afee80e34b6db6a7ba

SHA512
fe91e3de310901680c1cadb286b5232a8ccee3cb848f1a88a4d5b08885c2a69a71f317829a90218a50105565eb3d7841723a95aa7e4dc5ee0a4b8077129aba90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urge

Filesize
95KB

MD5
0ea869ca9b18406a52fa1ae6271164ea

SHA1
8a170a2f648e30cd1c1b6723ffa77ce45e5ca7c8

SHA256
bcb1d16c2aeda8aafd925b28b9fed30141361c3b1eb6a4170487d5b7b5a2ae87

SHA512
73e99ebf81690ef5246f615be2a322021837540d803d53351beea2b5f45be379323f26cd1c8c19bf62c265065c206c93a5f1e818f5a80ca9bac6b90bd5bf3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Word

Filesize
105KB

MD5
4a9e8dbff979fd5063fc1d47f805a59f

SHA1
201871cae385ca06f95dfc4f9a4c10c28f995a83

SHA256
06db52213d88a26416e3909ad9c3c6d4e7bbe619163b4d314ed88d1d0f92c049

SHA512
b27d91421d33a53ea4dedc3fcf14fddf52fb59acc0b0b432869335a1660fbf3fde973e3308e379e621b40653b25079e0557bf10134ae4192f506ea589c957fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\casino.xll

Filesize
30KB

MD5
9571131323be90fe8bc297ec2dd6b973

SHA1
29e0e6ff1ad434bbfe8056be522e1c55b54eb748

SHA256
772204e17532f29016bbcf844c1320dc77a48fe66edd9a9cce112cff92111b64

SHA512
cd497283d7c91909401214cb9a2f49232deefa5bdf79cd9edfad6eb4aeb082acb87e0c0a8bb5742686a1811363f0e71d4832c84630e9cb9f42ae2b2172b72efd

Download Submit
memory/1884-288-0x00000000035C0000-0x0000000003623000-memory.dmp

Filesize
396KB

Download
memory/1884-284-0x00000000035C0000-0x0000000003623000-memory.dmp

Filesize
396KB

Download
memory/1884-285-0x00000000035C0000-0x0000000003623000-memory.dmp

Filesize
396KB

Download
memory/1884-286-0x00000000035C0000-0x0000000003623000-memory.dmp

Filesize
396KB

Download
memory/1884-287-0x00000000035C0000-0x0000000003623000-memory.dmp

Filesize
396KB

Download