e3d4b22f7e9f9ab999b3743d67f3f6c0f8f3da9fb54593ce08610c148e7b4c16

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoIPstudio Setup 3.2.6.exe
Size

72.0MB
MD5

aca9432c8ef0796089cf6a69c6471022
SHA1

301fcc9c4f2d41d380b6ca898bc97399f520f0e7
SHA256

e3d4b22f7e9f9ab999b3743d67f3f6c0f8f3da9fb54593ce08610c148e7b4c16
SHA512

dc9ed9569bb71548f3c47cab132e9307d271a8f95c66bf3dc095d7ca8a5d875b0cab7687b0676270372a5e5fb42afee5749d7a20227d474e8e956934a6c182cf
SSDEEP

1572864:R8OiT5qCxgPCZnoQXI79xIgyEQsSCZW1c0/DSs2Jf9az/e:R81AC+qA9xIgyZ/W0/DXnDe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VoIPstudio.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	VoIPstudio.exe

Executes dropped EXE 5 IoCs

Processes:

VoIPstudio.exeVoIPstudio.exeVoIPstudio.exeVoIPstudio.exeVoIPstudio.exe

pid process

1912 VoIPstudio.exe
2316 VoIPstudio.exe
1260 VoIPstudio.exe
2924 VoIPstudio.exe
2512 VoIPstudio.exe

pid	process
1912	VoIPstudio.exe
2316	VoIPstudio.exe
1260	VoIPstudio.exe
2924	VoIPstudio.exe
2512	VoIPstudio.exe

Loads dropped DLL 34 IoCs

Processes:

VoIPstudio Setup 3.2.6.exeVoIPstudio.exeVoIPstudio.exeVoIPstudio.exeVoIPstudio.exeVoIPstudio.exe

pid	process
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1040	VoIPstudio Setup 3.2.6.exe
1192
1912	VoIPstudio.exe
1192
1192
1192
1192
2316	VoIPstudio.exe
1912	VoIPstudio.exe
1192
1260	VoIPstudio.exe
1260	VoIPstudio.exe
1260	VoIPstudio.exe
1260	VoIPstudio.exe
2924	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe
2512	VoIPstudio.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

Processes:

VoIPstudio Setup 3.2.6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\callto\ = "URL:callto"	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\tel\URL Protocol	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sips	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sips\ = "URL:skype"	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\tel\ = "URL:tel"	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sip	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\VoIPstudio.callto\Shell\Open\Command	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\VoIPstudio.callto\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\VoIPstudio\\VoIPstudio.exe --cmd \"callurl %1\""	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sips\Skype Protocol	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\VoIPstudio.callto\Shell	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\callto	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\callto\URL Protocol	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sip\ = "URL:sip"	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sip\URL Protocol	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sips\ = "URL:sips"	VoIPstudio Setup 3.2.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sips\URL Protocol	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\tel	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\VoIPstudio.callto	VoIPstudio Setup 3.2.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\VoIPstudio.callto\Shell\Open	VoIPstudio Setup 3.2.6.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2620 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

VoIPstudio Setup 3.2.6.exeVoIPstudio.exe

pid process

1040 VoIPstudio Setup 3.2.6.exe
1040 VoIPstudio Setup 3.2.6.exe
1040 VoIPstudio Setup 3.2.6.exe
1912 VoIPstudio.exe
1912 VoIPstudio.exe

pid	process
2620	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VoIPstudio Setup 3.2.6.exeVoIPstudio.exe

description	pid	process
Token: SeSecurityPrivilege	1040	VoIPstudio Setup 3.2.6.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe
Token: SeShutdownPrivilege	1912	VoIPstudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VoIPstudio.exe

description	pid	process	target process
PID 1912 wrote to memory of 2316	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2316	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2316	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2620	1912	VoIPstudio.exe	reg.exe
PID 1912 wrote to memory of 2620	1912	VoIPstudio.exe	reg.exe
PID 1912 wrote to memory of 2620	1912	VoIPstudio.exe	reg.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 1260	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2924	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2924	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2924	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe
PID 1912 wrote to memory of 2512	1912	VoIPstudio.exe	VoIPstudio.exe

C:\Users\Admin\AppData\Local\Temp\VoIPstudio Setup 3.2.6.exe
"C:\Users\Admin\AppData\Local\Temp\VoIPstudio Setup 3.2.6.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe
"C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe
  C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\VoIPstudio /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\VoIPstudio\Crashpad --url=https://level7-rx.sp.backtrace.io:443/post?format=minidump&token=b262597be8487f7d206748f390a346af783be95bac7e2b7f01aca1c8ed9a43d0 --annotation=_companyName=level7 "--annotation=_productName=VoIPstudio 3.2.6 win32 6.1.7601" --annotation=_version=3.2.6 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=20.1.0 --initial-client-data=0x314,0x318,0x31c,0x30c,0x320,0x14875c868,0x14875c878,0x14875c888
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2316
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v VoIPstudio
  2⤵
  - Modifies registry key
  PID:2620
- C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe
  "C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\VoIPstudio" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1168,i,17830650687274011116,1971774857948520496,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1260
- C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe
  "C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\VoIPstudio" --mojo-platform-channel-handle=1496 --field-trial-handle=1168,i,17830650687274011116,1971774857948520496,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2924
- C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe
  "C:\Users\Admin\AppData\Local\Programs\VoIPstudio\VoIPstudio.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\VoIPstudio" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1168,i,17830650687274011116,1971774857948520496,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\VoIPstudio\chrome_100_percent.pak

Filesize
126KB

MD5
a3d4515d3a33a407d313a62818e82a5d

SHA1
967ff9a6774a66f7b3299af4fd5d70961ed54d79

SHA256
662a9db6ef4197cb4b6c50648a2cafceb7fd903015828df3fee605a602370be0

SHA512
0c757e1beccbca1ae0791fa0c51a9e2019696bd0965c73de67b364fba6f317ea2cf20fa65e4fa7dd22519683528e5112dc8c530049170f4e702e0c8d4e065801

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\chrome_200_percent.pak

Filesize
175KB

MD5
3bab45c70f22646cf8452c30903810cb

SHA1
40b31d4c79b5a2b8d12f8cf8b6c49c962c31f766

SHA256
d4282ae977f23afe252e19e421c8d09696ea3b83a1e73a6aaebaaa5547c74cbc

SHA512
85eda055494f0233c963e821906cf69d94e664d8396e8b08e7a8f412e1c16af71252fef1bfe3ed43cfad157aa90c0dcbb375626e2ddf0e807c9b23ad27e61d9c

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\icudtl.dat

Filesize
10.0MB

MD5
6690f2b2384e1bf8961fda96a4d07691

SHA1
111f6dd9833c653908431621fe8fbc87f1135632

SHA256
cb73d42d36839708013393ad0e4e932fdda9a1acda9275ecdbe74fe89eea8366

SHA512
6a5242fdc0ba09e339151feae1b3f7a9f00a09288b6f4ea9305d1a09d8bc3015c074ee91de35b8d6fc765c2fb55ec37dd91b8e66b7a7bb3148cbc305de19b088

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\locales\en-US.pak

Filesize
296KB

MD5
1e9b12891461eefd9db12e537965329c

SHA1
bf2346e045f79a70218890764b9318fa86886b36

SHA256
bd67fc968d75e77f2bae7ad552c398ccc4dad8635d74814c2046f813010c45e7

SHA512
3f01b9fc7e07bf6f3f8cda357debb83f73bb24179f6926d0b24114ac0078f42941a68842453bd7ee86cb759ef76e240b84278ebe1541cb659fb7caf3cf5b6820

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\resources.pak

Filesize
5.1MB

MD5
2962acbc85b125ba498bd3d97b6dd40f

SHA1
77455d7e59fb0925c750ae60b01f25d270a35923

SHA256
5bdbcb405a06885cb3db1130cd266bcaa6312a1f4888ed440461e20be6ce19ce

SHA512
9e933c38e2a2376e17af4882b7e79ea9d01c18919dafa00c1a913b0d8227e7f97b9ca99523afaaf74a5fc08a14f2522926a7bde7c56f97886f3078d33ecf5602

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\resources\app.asar

Filesize
41.1MB

MD5
413097bf6540e4296b2e0132b547b189

SHA1
3c7275cf323680d30d8cf5d24eb682c0c21d3f3f

SHA256
2b988f1818949ebdf0aa4bde85a593f5acde0d95d1638b09272888b8263deab2

SHA512
743b44d1e90aac0a7e633f5400edad86aefe3d84b98d93a8da50ca1767a44528ee2bc54acc96c2de43ee6cc9e8f67720b41fcbeb83700d3bc73d4470ef77d761

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\v8_context_snapshot.bin

Filesize
716KB

MD5
4451f66c2490eb3c78c287f95c9beed0

SHA1
3309b7022c1b8579b8c19d6ebfe4eccc4a25f9ac

SHA256
4fc62bc65ffed3f595a626cc5b66d72a85d3e7287005c00e321d896e61767499

SHA512
f8e7df190733383e8198025f660d243e8ae07bcbfc6d30d27f14381869b926c2c65ccd03ec60f665d8803df0a0e40f8ff648d0a8da87ae0a69b6d02dddc92423

Download Submit
C:\Users\Admin\AppData\Local\Programs\VoIPstudio\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst29C0.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\??\pipe\crashpad_1912_DVMTGXVOPCZBJTDS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\ffmpeg.dll

Filesize
2.7MB

MD5
5969c017a8544a612d9609024a11e61b

SHA1
f4018bb5b1ada0a483f0cba9160ce868babf0da6

SHA256
f407da582f23f37b9d9f42c1c1e3cd998ef570806e0e80d6fb8c6305121a12e3

SHA512
0ea4393191d1a70bd459ad7da2d966347c3e561aa70a336f803297917a2850e00a3fc18b86e8c8a67a49192094230c76f5a64012980897f3fae5b3c83cb657a4

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\libEGL.dll

Filesize
458KB

MD5
2abf9522f402dfad5f33a880eb3f5839

SHA1
dc7f7d6f279a237238de40bdcb4c4ba0155e8d03

SHA256
8ec237e80f70e37652192a3940de4cbebcfa20afc09250770599c82708fdd99a

SHA512
0611808cf6bff371216f6ddd2691ccb0a67a05bdf866e6eb31144cd305cc47649ca9c74f46f0826a3d39b7c80c52a250f382ccfcb3669f912866a9203eaca7b7

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\libGLESv2.dll

Filesize
7.1MB

MD5
9e413e4af280574fe22375711b229d18

SHA1
03c59d608478987cf268522f4b8c3171e53133ef

SHA256
3daaafbd8a015003a54479c5ae7ef455073d924e846c08ca357c0af51713ea44

SHA512
a678264bbae93fad4077c9b11986dc9e33842b212e2212744f3ba848be73d4820d89662fc1c0f60ff03b9ddf9713e8c06479e6ecaf79fd4ddf384f02916da43d

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\resources\app.asar.unpacked\node_modules\keytar\build\Release\win32\x64\keytar.node

Filesize
691KB

MD5
c5c99144e2e1589628e14999ba59ad73

SHA1
9c80f8de6b5cdaf38677d5368b5287bacb9e465a

SHA256
90e35de89ab5e5f9290e4ff1bbadcf221a82b2aa0d9b922187dc980adff3c831

SHA512
0bcb99953397c6604d8e08bf2ba89248ee82f92436c2dcc779157b65227b0e1350927273a1b6d150a9db914d0a8830680df05ef651ee291b40657a3025a721c5

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\vk_swiftshader.dll

Filesize
4.6MB

MD5
ffab5bd97f5ea975565f91796e45f21b

SHA1
0151861fb9adcc991bbde253a6cef93bf3c4fb33

SHA256
78f457872d411c9435f124f13e45be3a9a233b1c09c66cc393ead7aacbe7e9f1

SHA512
b86a7365ba48bc714d6c618f18da79ed095b0527d7a0195f795f0f6befa4f4650021fff8b7806d29b3826e134b4b9c1622b366c110c21fb3d30e280b67a31ba5

Download Submit
\Users\Admin\AppData\Local\Programs\VoIPstudio\vulkan-1.dll

Filesize
849KB

MD5
06f202c0f47dd4a53e8ff81c4895a414

SHA1
d7e0ad009d690aa92510a47b25c3faaaeb1ea981

SHA256
9377fb4fe36f25195883a2dc3ecefc39c428ce384ccc25ff859cd081798b2a64

SHA512
de5b2412b210488fe3dd555c0e62053174323314294fbabef348d1a960ee1f63a643a79510f32db0ffa47a92f40650dec32f400e3aacfdcbbfe9710aefdf499c

Download Submit
\Users\Admin\AppData\Local\Temp\nst29C0.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nst29C0.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nst29C0.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nst29C0.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nst29C0.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1040-207-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/1260-284-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/1260-253-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download