hawkeye | fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87

Analysis

max time kernel
10s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 18:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Size

778KB
MD5

42091ab1b8cbca4e170ed8806cb67ab0
SHA1

3d9389b8eed46f39a3bbc975ad05f31e7a0c7d84
SHA256

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87
SHA512

8c8cd397ac77ce6407037c749ce8b051bb1cbe22a78657463c12d3e8fea235fb2bbeee470ba35fa6c09296f28cc57b2ef8ec394319c1b4278efb89338c417e46
SSDEEP

12288:i2fgeSMXkVxNnFKZCQTUvBmqTmR6tpOudwzvmzc/J97OTv7w4m22Ry:hgexKx1Fco5La07wzvKcfOTTwh2r

Score

10^/10

hawkeye collection discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4492-6-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/1740-59-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1740-57-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1740-56-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4956-115-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4956-114-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4956-126-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4492-6-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral2/memory/1740-59-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1740-57-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1740-56-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4492-6-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral2/memory/4956-115-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4956-114-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4956-126-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AudioEndpointBuilder.exe

Executes dropped EXE 12 IoCs

pid	Process
3988	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
2104	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
2272	AudioEndpointBuilder.exe
456	AudioEndpointBuilder.exe
2344	AudioEndpointBuilder.exe
4468	AudioEndpointBuilder.exe
4700	AudioEndpointBuilder.exe
4256	AudioEndpointBuilder.exe
4668	AudioEndpointBuilder.exe
4612	AudioEndpointBuilder.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	whatismyipaddress.com
15	whatismyipaddress.com

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 4488 set thread context of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 set thread context of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 set thread context of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 set thread context of 2344	4488	AudioEndpointBuilder.exe	93
PID 4492 set thread context of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4488 set thread context of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 set thread context of 4700	4488	AudioEndpointBuilder.exe	97
PID 4488 set thread context of 4256	4488	AudioEndpointBuilder.exe	98
PID 4488 set thread context of 4668	4488	AudioEndpointBuilder.exe	99
PID 4488 set thread context of 4612	4488	AudioEndpointBuilder.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrokerInfrastructure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrokerInfrastructure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioEndpointBuilder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
3988	BrokerInfrastructure.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
3988	BrokerInfrastructure.exe
3988	BrokerInfrastructure.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
3988	BrokerInfrastructure.exe
3988	BrokerInfrastructure.exe
796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
816	BrokerInfrastructure.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
4488	AudioEndpointBuilder.exe
816	BrokerInfrastructure.exe
816	BrokerInfrastructure.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Token: SeDebugPrivilege	3988	BrokerInfrastructure.exe
Token: SeDebugPrivilege	4488	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
Token: SeDebugPrivilege	816	BrokerInfrastructure.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 4492	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	83
PID 796 wrote to memory of 3988	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	84
PID 796 wrote to memory of 3988	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	84
PID 796 wrote to memory of 3988	796	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	84
PID 3988 wrote to memory of 4488	3988	BrokerInfrastructure.exe	85
PID 3988 wrote to memory of 4488	3988	BrokerInfrastructure.exe	85
PID 3988 wrote to memory of 4488	3988	BrokerInfrastructure.exe	85
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 2104	4488	AudioEndpointBuilder.exe	89
PID 4488 wrote to memory of 816	4488	AudioEndpointBuilder.exe	90
PID 4488 wrote to memory of 816	4488	AudioEndpointBuilder.exe	90
PID 4488 wrote to memory of 816	4488	AudioEndpointBuilder.exe	90
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 2272	4488	AudioEndpointBuilder.exe	91
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 456	4488	AudioEndpointBuilder.exe	92
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4488 wrote to memory of 2344	4488	AudioEndpointBuilder.exe	93
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4492 wrote to memory of 1740	4492	fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe	94
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95
PID 4488 wrote to memory of 4468	4488	AudioEndpointBuilder.exe	95

C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
"C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe
  "C:\Users\Admin\AppData\Local\Temp\fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2104
  - - C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:816
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4468
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4256
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4612
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1132
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3192
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3640
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4028
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1844
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1120
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3152
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2096
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3928
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2156
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1252
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4728
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1276
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1900
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3416
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4136
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2772
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4308
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2724
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3976
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4808
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:32
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3816
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:64
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4176
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4712
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1296
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5076
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1180
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2776
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4168
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1812
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4832
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2924
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4716
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:528
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3876
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3048
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4084
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4200
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:712
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5028
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3404
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1396
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:464
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3592
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2100
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1816
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3772
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4536
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:920
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5084
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4304
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1064
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4364
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3540
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2660
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3288
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:796
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4140
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4844
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2380
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1116
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5132
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5180
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5280
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5348
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5396
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5496
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5544
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5588
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5736
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5784
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5832
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5884
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5932
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6036
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6088
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3396
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5148
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5196
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5264
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5520
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5652
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5720
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5752
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5800
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5868
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5916
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5952
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6064
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6100
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5380
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5416
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5480
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5528
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5696
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5860
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6056
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6048
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5156
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5292
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5464
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2024
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5608
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5680
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5908
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5944
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4452
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6132
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5440
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5436
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1680
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5176
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5308
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2452
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5616
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5760
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5968
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6108
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5272
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5404
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5556
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5628
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6032
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5160
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5504
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5716
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5660
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3768
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:3324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1012
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5572
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5840
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5288
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5844
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5672
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4348
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5780
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5552
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5724
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:6080
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4484
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5392
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5124
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5420
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5144
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2532
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5824
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5532
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4796
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:4416
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:5492
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 844
        5⤵
        
        PID:1104
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 608
        5⤵
        
        PID:228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
      4⤵
      PID:1176

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4828

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1708

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

whatismyipaddress.com

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

Remote address:

8.8.8.8:53

Request

whatismyipaddress.com

IN A

Response

whatismyipaddress.com

IN A

104.19.222.79

whatismyipaddress.com

IN A

104.19.223.79
GET

http://whatismyipaddress.com/

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

Remote address:

104.19.222.79:80

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 16 Dec 2024 18:22:38 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 16 Dec 2024 19:22:38 GMT
Location: https://whatismyipaddress.com/
Set-Cookie: __cf_bm=wOfds5L7NGxPaCIW9JlIRHuAi__xvhf_SuzGue0ZZ70-1734373358-1.0.1.1-Mbe7BUSfmDimz71hFTRmfg131qETQ5b6br50SOR6iBWuI1JQxmytpNmUQ2zpaNXvGciUUTjrca8g6WbGQT4Edw; path=/; expires=Mon, 16-Dec-24 18:52:38 GMT; domain=.whatismyipaddress.com; HttpOnly
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 8f30b3311e1ecd9a-LHR
alt-svc: h3=":443"; ma=86400
GET

https://whatismyipaddress.com/

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

Remote address:

104.19.222.79:443

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Mon, 16 Dec 2024 18:22:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
cf-mitigated: challenge
cf-chl-out: Z61O2X2LPZQh//98ZNCzVUsG5fRi/FCl42BYTtKnlPQry5CqI9kpDC1MHMrdspaQO9y1hc5xzQrQV6GT1kXIl8dLGTspTxsN0y+vKc0OT9DlUr8EPl9OmP/v0zVLuG+NVqLg0TZ+qeaRqPLlZ64hWQ==$2UTphXYeMlT+im3aAzqxtA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=fBHkxp7u0OIcTZQ3D65OBhQnNR0AYesGeJFUDh9fbG8-1734373358-1.0.1.1-eapbj5ZBtp7ORsfatNt2z2T4b8VppM3KEXlw8YBucIMK2v_WY3LGKuIqRpWHENloHeBolMPCu9IqBEIi8WbIlA; path=/; expires=Mon, 16-Dec-24 18:52:38 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 8f30b332683eedf3-LHR
alt-svc: h3=":443"; ma=86400
DNS

79.222.19.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.222.19.104.in-addr.arpa

IN PTR

Response
DNS

mx1.3owl.com

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

Remote address:

8.8.8.8:53

Request

mx1.3owl.com

IN A

Response

mx1.3owl.com

IN A

172.67.151.128

mx1.3owl.com

IN A

104.21.0.248
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

104.19.222.79:80

http://whatismyipaddress.com/

http

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

347 B
957 B
6
4

HTTP Request

GET http://whatismyipaddress.com/

HTTP Response

301
104.19.222.79:443

https://whatismyipaddress.com/

tls, http

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

962 B
13.6kB
13
17

HTTP Request

GET https://whatismyipaddress.com/

HTTP Response

403
172.67.151.128:587

mx1.3owl.com

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

260 B
5
172.67.151.128:587

mx1.3owl.com

260 B
5
104.21.0.248:587

mx1.3owl.com

260 B
5
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe
104.21.0.248:587

mx1.3owl.com

260 B
5
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe
127.0.0.1:51675

AudioEndpointBuilder.exe

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

whatismyipaddress.com

dns

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

67 B
99 B
1
1

DNS Request

whatismyipaddress.com

DNS Response

104.19.222.79

104.19.223.79
8.8.8.8:53

79.222.19.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

79.222.19.104.in-addr.arpa
8.8.8.8:53

mx1.3owl.com

dns

fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87N.exe

58 B
90 B
1
1

DNS Request

mx1.3owl.com

DNS Response

172.67.151.128

104.21.0.248
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AudioEndpointBuilder.exe.log

Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BrokerInfrastructure.exe.log

Filesize
404B

MD5
fcc802ed7e1aa47a9e0ba0420dac1632

SHA1
f7a7b06f14790b2e33a66fa6c318f940a6637786

SHA256
676475b51aec5bc3cbd324aca7091e8e63465b0cc77d85a02db484754c4fa7e1

SHA512
df8e129fb26cc87e3f76f69c7bf142116762cfe0377599f353cb2230a3ad992ad358ddba2c46a02e1bb14e4054f3df19b028a6a44699584f2a7f9f4c53092c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe

Filesize
778KB

MD5
42091ab1b8cbca4e170ed8806cb67ab0

SHA1
3d9389b8eed46f39a3bbc975ad05f31e7a0c7d84

SHA256
fa24bccb7b1ac04b82970ea94b8df033e80c57931db0ba5c96ff0506bbca2b87

SHA512
8c8cd397ac77ce6407037c749ce8b051bb1cbe22a78657463c12d3e8fea235fb2bbeee470ba35fa6c09296f28cc57b2ef8ec394319c1b4278efb89338c417e46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe

Filesize
8KB

MD5
4f328caa4aec70994c3f2250ae8702a7

SHA1
0f8c1b9315a9988adee3320ba77fde0e88e8774f

SHA256
a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae

SHA512
cd5f4d327d0ae22cc4ccefcd0c09115f55a99091a26614b2461be6654de7aa6d4a3651206e572250715c41d227603c461115235171713bc6d0def252fb886670

Download Submit
memory/32-153-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/796-25-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/796-26-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/796-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/796-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/796-3-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/796-33-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/796-0-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/1252-107-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/1740-58-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1740-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-21-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-32-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-20-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-19-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4488-27-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4488-93-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-6-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4492-7-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-70-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-8-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4956-115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-114-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-126-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.