Analysis
-
max time kernel
7s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Resource
win7-20241023-en
General
-
Target
fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
-
Size
778KB
-
MD5
42091ab1b8cbca4e170ed8806cb67ab0
-
SHA1
3d9389b8eed46f39a3bbc975ad05f31e7a0c7d84
-
SHA256
fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87
-
SHA512
8c8cd397ac77ce6407037c749ce8b051bb1cbe22a78657463c12d3e8fea235fb2bbeee470ba35fa6c09296f28cc57b2ef8ec394319c1b4278efb89338c417e46
-
SSDEEP
12288:i2fgeSMXkVxNnFKZCQTUvBmqTmR6tpOudwzvmzc/J97OTv7w4m22Ry:hgexKx1Fco5La07wzvKcfOTTwh2r
Malware Config
Signatures
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/3008-12-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/3008-20-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/3008-16-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/3008-18-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1584-83-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1584-80-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1584-76-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft -
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/3008-12-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/3008-20-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/3008-16-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/3008-18-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1584-83-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1584-80-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1584-76-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/3008-12-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/3008-20-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/3008-16-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/3008-18-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/1584-83-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1584-80-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1584-76-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView -
Executes dropped EXE 3 IoCs
pid Process 2920 BrokerInfrastructure.exe 2884 AudioEndpointBuilder.exe 316 AudioEndpointBuilder.exe -
Loads dropped DLL 3 IoCs
pid Process 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 2920 BrokerInfrastructure.exe 2884 AudioEndpointBuilder.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 whatismyipaddress.com 7 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1048 set thread context of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 2884 set thread context of 316 2884 AudioEndpointBuilder.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioEndpointBuilder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BrokerInfrastructure.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioEndpointBuilder.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 2920 BrokerInfrastructure.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2920 BrokerInfrastructure.exe 2884 AudioEndpointBuilder.exe 2884 AudioEndpointBuilder.exe 2884 AudioEndpointBuilder.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe Token: SeDebugPrivilege 2920 BrokerInfrastructure.exe Token: SeDebugPrivilege 2884 AudioEndpointBuilder.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 3008 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 30 PID 1048 wrote to memory of 2920 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 31 PID 1048 wrote to memory of 2920 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 31 PID 1048 wrote to memory of 2920 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 31 PID 1048 wrote to memory of 2920 1048 fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe 31 PID 2920 wrote to memory of 2884 2920 BrokerInfrastructure.exe 32 PID 2920 wrote to memory of 2884 2920 BrokerInfrastructure.exe 32 PID 2920 wrote to memory of 2884 2920 BrokerInfrastructure.exe 32 PID 2920 wrote to memory of 2884 2920 BrokerInfrastructure.exe 32 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33 PID 2884 wrote to memory of 316 2884 AudioEndpointBuilder.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1512
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exeC:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:680
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1584
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:304
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:3028
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2608
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2324
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1524
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:956
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:112
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1804
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2316
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2488
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2372
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1700
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2020
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:572
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1580
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1560
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1764
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2080
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1944
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1660
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2612
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1340
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1372
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1708
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1760
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2280
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:960
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2268
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:308
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1548
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2132
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2180
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1388
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1976
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2520
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1688
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1640
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1684
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1652
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2172
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2744
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:816
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2100
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2304
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2668
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1756
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2332
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1600
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2948
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2844
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1964
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1904
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1828
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:768
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2164
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2956
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2712
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1636
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1324
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2456
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1736
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1028
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:3060
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1452
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1424
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1872
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1896
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2516
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2288
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2784
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1656
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2460
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1572
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2176
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2940
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2552
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1048
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2704
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1200
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:864
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1480
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2572
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2340
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2996
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:940
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2124
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:884
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:1720
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2500
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:792
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2096
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"4⤵PID:2768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
778KB
MD542091ab1b8cbca4e170ed8806cb67ab0
SHA13d9389b8eed46f39a3bbc975ad05f31e7a0c7d84
SHA256fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87
SHA5128c8cd397ac77ce6407037c749ce8b051bb1cbe22a78657463c12d3e8fea235fb2bbeee470ba35fa6c09296f28cc57b2ef8ec394319c1b4278efb89338c417e46
-
Filesize
8KB
MD54f328caa4aec70994c3f2250ae8702a7
SHA10f8c1b9315a9988adee3320ba77fde0e88e8774f
SHA256a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae
SHA512cd5f4d327d0ae22cc4ccefcd0c09115f55a99091a26614b2461be6654de7aa6d4a3651206e572250715c41d227603c461115235171713bc6d0def252fb886670