hawkeye | 252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

Analysis

max time kernel
227s
max time network
292s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
Size

1.0MB
MD5

ba94b8d9b8240b4958e493f20dcd1661
SHA1

e188dea55d097009b49a6e809c288aa700fd2119
SHA256

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df
SHA512

666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298
SSDEEP

24576:P+nIKZfldGM5sEvSI+k4rRrDW1c9wBmTGNN5:PaIUldGraSI+jlrS1c9wz5

Score

10^/10

hawkeye agilenet keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 48 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1908-60-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1908-62-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1908-61-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1908-63-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1908-65-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1908-67-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1416-97-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1416-100-0x00000000001C0000-0x00000000002B0000-memory.dmp	MailPassView
behavioral1/memory/1416-104-0x00000000001C0000-0x00000000002B0000-memory.dmp	MailPassView
behavioral1/memory/1416-107-0x00000000001C0000-0x00000000002B0000-memory.dmp	MailPassView
behavioral1/memory/1904-117-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1904-122-0x0000000000430000-0x0000000000520000-memory.dmp	MailPassView
behavioral1/memory/1904-121-0x0000000000432000-0x000000000051C000-memory.dmp	MailPassView
behavioral1/memory/1904-124-0x0000000000432000-0x000000000051C000-memory.dmp	MailPassView
behavioral1/memory/1904-125-0x0000000000430000-0x0000000000520000-memory.dmp	MailPassView
behavioral1/memory/1660-137-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1660-142-0x0000000000440000-0x0000000000530000-memory.dmp	MailPassView
behavioral1/memory/1660-144-0x0000000000442000-0x000000000052C000-memory.dmp	MailPassView
behavioral1/memory/1660-145-0x0000000000440000-0x0000000000530000-memory.dmp	MailPassView
behavioral1/memory/1980-158-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1980-163-0x0000000000420000-0x0000000000510000-memory.dmp	MailPassView
behavioral1/memory/1980-165-0x0000000000422000-0x000000000050C000-memory.dmp	MailPassView
behavioral1/memory/1980-166-0x0000000000420000-0x0000000000510000-memory.dmp	MailPassView
behavioral1/memory/896-179-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/188-200-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/2000-220-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1220-240-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/2016-260-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/272-280-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1364-301-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/904-321-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1552-336-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1604-357-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/964-373-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/436-393-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1652-413-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/768-428-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1040-443-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1972-463-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/2032-483-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1644-503-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1800-518-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1964-539-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1380-559-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1664-579-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/320-599-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/808-619-0x00000000004EB15E-mapping.dmp	MailPassView
behavioral1/memory/1864-634-0x00000000004EB15E-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 48 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1908-60-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1908-62-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1908-61-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1908-63-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1908-65-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1908-67-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1416-97-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1416-100-0x00000000001C0000-0x00000000002B0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1416-104-0x00000000001C0000-0x00000000002B0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1416-107-0x00000000001C0000-0x00000000002B0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1904-117-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1904-122-0x0000000000430000-0x0000000000520000-memory.dmp	WebBrowserPassView
behavioral1/memory/1904-121-0x0000000000432000-0x000000000051C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1904-124-0x0000000000432000-0x000000000051C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1904-125-0x0000000000430000-0x0000000000520000-memory.dmp	WebBrowserPassView
behavioral1/memory/1660-137-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1660-142-0x0000000000440000-0x0000000000530000-memory.dmp	WebBrowserPassView
behavioral1/memory/1660-144-0x0000000000442000-0x000000000052C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1660-145-0x0000000000440000-0x0000000000530000-memory.dmp	WebBrowserPassView
behavioral1/memory/1980-158-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1980-163-0x0000000000420000-0x0000000000510000-memory.dmp	WebBrowserPassView
behavioral1/memory/1980-165-0x0000000000422000-0x000000000050C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1980-166-0x0000000000420000-0x0000000000510000-memory.dmp	WebBrowserPassView
behavioral1/memory/896-179-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/188-200-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2000-220-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1220-240-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2016-260-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/272-280-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1364-301-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/904-321-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1552-336-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1604-357-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/964-373-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/436-393-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1652-413-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/768-428-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1040-443-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1972-463-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2032-483-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1644-503-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1800-518-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1964-539-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1380-559-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1664-579-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/320-599-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/808-619-0x00000000004EB15E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1864-634-0x00000000004EB15E-mapping.dmp	WebBrowserPassView

Nirsoft 48 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1908-60-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1908-62-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1908-61-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1908-63-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1908-65-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1908-67-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1416-97-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1416-100-0x00000000001C0000-0x00000000002B0000-memory.dmp	Nirsoft
behavioral1/memory/1416-104-0x00000000001C0000-0x00000000002B0000-memory.dmp	Nirsoft
behavioral1/memory/1416-107-0x00000000001C0000-0x00000000002B0000-memory.dmp	Nirsoft
behavioral1/memory/1904-117-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1904-122-0x0000000000430000-0x0000000000520000-memory.dmp	Nirsoft
behavioral1/memory/1904-121-0x0000000000432000-0x000000000051C000-memory.dmp	Nirsoft
behavioral1/memory/1904-124-0x0000000000432000-0x000000000051C000-memory.dmp	Nirsoft
behavioral1/memory/1904-125-0x0000000000430000-0x0000000000520000-memory.dmp	Nirsoft
behavioral1/memory/1660-137-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1660-142-0x0000000000440000-0x0000000000530000-memory.dmp	Nirsoft
behavioral1/memory/1660-144-0x0000000000442000-0x000000000052C000-memory.dmp	Nirsoft
behavioral1/memory/1660-145-0x0000000000440000-0x0000000000530000-memory.dmp	Nirsoft
behavioral1/memory/1980-158-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1980-163-0x0000000000420000-0x0000000000510000-memory.dmp	Nirsoft
behavioral1/memory/1980-165-0x0000000000422000-0x000000000050C000-memory.dmp	Nirsoft
behavioral1/memory/1980-166-0x0000000000420000-0x0000000000510000-memory.dmp	Nirsoft
behavioral1/memory/896-179-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/188-200-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/2000-220-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1220-240-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/2016-260-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/272-280-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1364-301-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/904-321-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1552-336-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1604-357-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/964-373-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/436-393-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1652-413-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/768-428-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1040-443-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1972-463-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/2032-483-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1644-503-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1800-518-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1964-539-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1380-559-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1664-579-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/320-599-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/808-619-0x00000000004EB15E-mapping.dmp	Nirsoft
behavioral1/memory/1864-634-0x00000000004EB15E-mapping.dmp	Nirsoft

Executes dropped EXE 32 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exe

pid	process
1808	BrokerInfrastructure.exe
1656	AudioEndpointBuilder.exe
1956	BrokerInfrastructure.exe
1416	AudioEndpointBuilder.exe
1904	AudioEndpointBuilder.exe
1660	AudioEndpointBuilder.exe
1980	AudioEndpointBuilder.exe
896	AudioEndpointBuilder.exe
188	AudioEndpointBuilder.exe
2000	AudioEndpointBuilder.exe
1220	AudioEndpointBuilder.exe
2016	AudioEndpointBuilder.exe
272	AudioEndpointBuilder.exe
1364	AudioEndpointBuilder.exe
904	AudioEndpointBuilder.exe
1552	AudioEndpointBuilder.exe
1604	AudioEndpointBuilder.exe
964	AudioEndpointBuilder.exe
436	AudioEndpointBuilder.exe
1652	AudioEndpointBuilder.exe
768	AudioEndpointBuilder.exe
1040	AudioEndpointBuilder.exe
1972	AudioEndpointBuilder.exe
2032	AudioEndpointBuilder.exe
1644	AudioEndpointBuilder.exe
1800	AudioEndpointBuilder.exe
1964	AudioEndpointBuilder.exe
1380	AudioEndpointBuilder.exe
1664	AudioEndpointBuilder.exe
320	AudioEndpointBuilder.exe
808	AudioEndpointBuilder.exe
1864	AudioEndpointBuilder.exe

Loads dropped DLL 31 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid	process
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe

Obfuscated with Agile.Net obfuscator 60 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeBrokerInfrastructure.exeBrokerInfrastructure.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\BrokerInfrastructure = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BrokerInfrastructure.exe"	BrokerInfrastructure.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\BrokerInfrastructure = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BrokerInfrastructure.exe"	BrokerInfrastructure.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 whatismyipaddress.com
10 whatismyipaddress.com
12 whatismyipaddress.com

flow	ioc
8	whatismyipaddress.com
10	whatismyipaddress.com
12	whatismyipaddress.com

Suspicious use of SetThreadContext 30 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 700 set thread context of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 1656 set thread context of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 188	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 2000	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1220	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 2016	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 272	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1364	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1552	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1604	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 964	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 436	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1652	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 768	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1040	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1972	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 2032	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1644	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1800	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1964	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1380	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1664	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 320	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 808	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 set thread context of 1864	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeBrokerInfrastructure.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid	process
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1808	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1956	BrokerInfrastructure.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1956	BrokerInfrastructure.exe
1656	AudioEndpointBuilder.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1956	BrokerInfrastructure.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1656	AudioEndpointBuilder.exe
700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe
1656	AudioEndpointBuilder.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exe252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe

description	pid	process
Token: SeDebugPrivilege	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
Token: SeDebugPrivilege	1808	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1656	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	1956	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1908	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe

pid process

1908 252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe

pid	process
1908	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1908	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
PID 700 wrote to memory of 1808	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1808	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1808	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1808	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 1808 wrote to memory of 1656	1808	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1808 wrote to memory of 1656	1808	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1808 wrote to memory of 1656	1808	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1808 wrote to memory of 1656	1808	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 700 wrote to memory of 1956	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1956	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1956	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 700 wrote to memory of 1956	700	252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe	BrokerInfrastructure.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1416	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1904	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1660	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 1980	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1656 wrote to memory of 896	1656	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe

C:\Users\Admin\AppData\Local\Temp\252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
"C:\Users\Admin\AppData\Local\Temp\252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
"C:\Users\Admin\AppData\Local\Temp\252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1100

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:896

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:188

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:272

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1364

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:436

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1800

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:320

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:808

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
18KB

MD5
438ff4b0be821db38a6a42de1cc31b17

SHA1
fe32a6fb21e9ada989c59b02c0ad2480f2f0cff7

SHA256
6b2502b64e12a85330a73309df501a14a8a9b8a5ef9603c30e43162270ab21b4

SHA512
560f833bee02398359ae59cbd964d7c16f45fab753c126242e086198e28547ac20cd96f0370316aa2164aa28a1f96fe19298603640eaaa79e43ada0778b71bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
18KB

MD5
438ff4b0be821db38a6a42de1cc31b17

SHA1
fe32a6fb21e9ada989c59b02c0ad2480f2f0cff7

SHA256
6b2502b64e12a85330a73309df501a14a8a9b8a5ef9603c30e43162270ab21b4

SHA512
560f833bee02398359ae59cbd964d7c16f45fab753c126242e086198e28547ac20cd96f0370316aa2164aa28a1f96fe19298603640eaaa79e43ada0778b71bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
18KB

MD5
438ff4b0be821db38a6a42de1cc31b17

SHA1
fe32a6fb21e9ada989c59b02c0ad2480f2f0cff7

SHA256
6b2502b64e12a85330a73309df501a14a8a9b8a5ef9603c30e43162270ab21b4

SHA512
560f833bee02398359ae59cbd964d7c16f45fab753c126242e086198e28547ac20cd96f0370316aa2164aa28a1f96fe19298603640eaaa79e43ada0778b71bb5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
ba94b8d9b8240b4958e493f20dcd1661

SHA1
e188dea55d097009b49a6e809c288aa700fd2119

SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df

SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
18KB

MD5
438ff4b0be821db38a6a42de1cc31b17

SHA1
fe32a6fb21e9ada989c59b02c0ad2480f2f0cff7

SHA256
6b2502b64e12a85330a73309df501a14a8a9b8a5ef9603c30e43162270ab21b4

SHA512
560f833bee02398359ae59cbd964d7c16f45fab753c126242e086198e28547ac20cd96f0370316aa2164aa28a1f96fe19298603640eaaa79e43ada0778b71bb5

Download Submit
memory/188-200-0x00000000004EB15E-mapping.dmp

Download
memory/188-212-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/272-292-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/272-280-0x00000000004EB15E-mapping.dmp

Download
memory/320-599-0x00000000004EB15E-mapping.dmp

Download
memory/320-611-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/436-393-0x00000000004EB15E-mapping.dmp

Download
memory/436-405-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/700-56-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/700-55-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/768-428-0x00000000004EB15E-mapping.dmp

Download
memory/768-435-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/808-619-0x00000000004EB15E-mapping.dmp

Download
memory/808-626-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/896-192-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/896-179-0x00000000004EB15E-mapping.dmp

Download
memory/896-191-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/904-328-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/904-321-0x00000000004EB15E-mapping.dmp

Download
memory/964-385-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/964-373-0x00000000004EB15E-mapping.dmp

Download
memory/1040-443-0x00000000004EB15E-mapping.dmp

Download
memory/1040-455-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-252-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-240-0x00000000004EB15E-mapping.dmp

Download
memory/1364-301-0x00000000004EB15E-mapping.dmp

Download
memory/1364-313-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-559-0x00000000004EB15E-mapping.dmp

Download
memory/1380-571-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-97-0x00000000004EB15E-mapping.dmp

Download
memory/1416-107-0x00000000001C0000-0x00000000002B0000-memory.dmp

Filesize
960KB

Download
memory/1416-109-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-104-0x00000000001C0000-0x00000000002B0000-memory.dmp

Filesize
960KB

Download
memory/1416-100-0x00000000001C0000-0x00000000002B0000-memory.dmp

Filesize
960KB

Download
memory/1552-336-0x00000000004EB15E-mapping.dmp

Download
memory/1552-349-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-348-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-357-0x00000000004EB15E-mapping.dmp

Download
memory/1604-364-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-365-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-510-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-503-0x00000000004EB15E-mapping.dmp

Download
memory/1652-420-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-413-0x00000000004EB15E-mapping.dmp

Download
memory/1656-88-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-77-0x0000000000000000-mapping.dmp

Download
memory/1656-81-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-137-0x00000000004EB15E-mapping.dmp

Download
memory/1660-145-0x0000000000440000-0x0000000000530000-memory.dmp

Filesize
960KB

Download
memory/1660-149-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-150-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-142-0x0000000000440000-0x0000000000530000-memory.dmp

Filesize
960KB

Download
memory/1660-144-0x0000000000442000-0x000000000052C000-memory.dmp

Filesize
936KB

Download
memory/1664-579-0x00000000004EB15E-mapping.dmp

Download
memory/1664-591-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-518-0x00000000004EB15E-mapping.dmp

Download
memory/1800-530-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-531-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-71-0x0000000000000000-mapping.dmp

Download
memory/1808-80-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-83-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-84-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-634-0x00000000004EB15E-mapping.dmp

Download
memory/1904-129-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-117-0x00000000004EB15E-mapping.dmp

Download
memory/1904-112-0x0000000000432000-0x000000000051C000-memory.dmp

Filesize
936KB

Download
memory/1904-124-0x0000000000432000-0x000000000051C000-memory.dmp

Filesize
936KB

Download
memory/1904-122-0x0000000000430000-0x0000000000520000-memory.dmp

Filesize
960KB

Download
memory/1904-125-0x0000000000430000-0x0000000000520000-memory.dmp

Filesize
960KB

Download
memory/1904-121-0x0000000000432000-0x000000000051C000-memory.dmp

Filesize
936KB

Download
memory/1908-65-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-63-0x00000000004EB15E-mapping.dmp

Download
memory/1908-58-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-67-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-61-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-62-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-60-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-69-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-82-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-57-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1956-89-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-295-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-85-0x0000000000000000-mapping.dmp

Download
memory/1964-539-0x00000000004EB15E-mapping.dmp

Download
memory/1964-551-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-475-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-463-0x00000000004EB15E-mapping.dmp

Download
memory/1980-163-0x0000000000420000-0x0000000000510000-memory.dmp

Filesize
960KB

Download
memory/1980-158-0x00000000004EB15E-mapping.dmp

Download
memory/1980-165-0x0000000000422000-0x000000000050C000-memory.dmp

Filesize
936KB

Download
memory/1980-166-0x0000000000420000-0x0000000000510000-memory.dmp

Filesize
960KB

Download
memory/1980-170-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-171-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-220-0x00000000004EB15E-mapping.dmp

Download
memory/2000-232-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-260-0x00000000004EB15E-mapping.dmp

Download
memory/2016-272-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-483-0x00000000004EB15E-mapping.dmp

Download
memory/2032-495-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download