Windows Analysis Report
LZazJikRId.exe

Overview

General Information

Sample name: LZazJikRId.exe
renamed because original name is a hash value
Original sample name: 4410dbdf8f12dfbf1f165276c42444fe.exe
Analysis ID: 1427019
MD5: 4410dbdf8f12dfbf1f165276c42444fe
SHA1: 41636f267072fec4554293c8d6abe148e1e67cc6
SHA256: 61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222
Tags: AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LZazJikRId.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: LZazJikRId.exe Malware Configuration Extractor: AsyncRAT {"Ports": ["6606", "7707", "8808"], "Server": ["dgorijan20785.hopto.org"], "Version": "0.5.6A", "Mutex": "v5tvc4rc3ex788", "Certificate": "MIIE8jCCAtqgAwIBAgIQAKCvtX6x4GWUjdDXmrjDSzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwMjI3MTc1MDE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJWZrleM/elp6VQ5BNFXmHujEc6VYshScV5BjcC3RzsRwJJDOdN11KsItwYXo/V9MyRkcRg6sv4d5VV5VXICM28b5foqtB99ZROKxA/me7xsL+fr2wZ5E0mI0G1hiX+OCrKE1IfWu0KaI0aZXVVZkTjUuTzsgxcs1MgHKC2PenKfpx1x0U7q9FmsJAmXawMfFL4s0D+vSpxdBaJCn2ZwjYBOOOWdFUIuFJi8dbCL4oj4oNW4G0nBmCPeWQMpL3bMi43d3vM28wWdUOdiGiuUtHE+XUHQ7uxhw5QKsMaUz27t/+0kThrzLtn8daGgBjRpMg6wJqX6vmCZ9dAeYRhxy0hD8qJ6AugXnr6sOfTHUMZx0R+FoZBeUDiJ7xnVR8rP2/koXlCr0M7GRmLBgu/Q1mhQFRvVJJXoKUtzglU68JgQZWRAKK5TtAs6AKDO6O11HIg5oGYPdbh9QlEmMCCsQk1qdHFnrtsEZPC1by4bXpahbDI/VSg92uAahtAfrXqGgcoZG0oJQ2ZEp/oI5WTcDcMeYY6WkcZDiybV610+4Qhkh0+/9Vx8o5hqACEha+P4Y4+v24wLiW8IZOh/RvBRbK3ECqKn8IHcIRqQ1vEi5xIGRhpF0Qjr5XXKufQA2pYMDU1E6bTT5SjeNwSf8JXV96DZxwt/yDVXWkmJgh7+ZiB5AgMBAAGjMjAwMB0GA1UdDgQWBBSbnCsk+Il5H1ptmgszq/o+lfWgljAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBYXPPqc8VSTyuHNBzV8jZ8OhnVkba36kyTgkMezu7u30RC4+yxkCHzKs6D6iN/MipePwZ7PhCCB/U11G5uPehKk3r8NotgWNrWJK7OadRBgOlX4mw3mihLmvn90+RRZNsFOPMAYstr9ERI7Wqm/aYhLc23h+0PdL8BNjn4z+crPdGqRNAICw/wMF9z+KJ34sYFNJjCaJWUqP7cxF5KjtPQ1jJCCqywKJd/D+StJTSybp4i34jWEnhpNGuWYFZGIHIXspf8XxTItzEDym05HVc8aI5ZmsvI+6K/VhPnqc/UG1anDFaLlE458/RZj9rCRlTGPml8VIhSheY19bjqCjILrY5tm8QOwZTONYeZQGNwyZ6J7wn+KtOfGvQqIFphkoHkBQGie47Jb441vVs17pfd83MrBMRcyHW6yWaBS56dRGPYcTA04FSbMYiMBaJkN8Hx1Nn3AF5QiuSplkRrup2wmtfLNhfVVZJsIGks65bzgDOU0JhmN9ODDNeIm0nQzRuQ18efT+3ffzIBcx++ufuoX0l/kRcB4H+XbtCcsP3zYysPSWZpC2tW4VqOHLjdbyTHSFi0BhY2uESl9F3Ts0zxbWMkYj4ZJTuxMreLDuwVlbSjxbEIg6jC1jC9T94koGjaQjjQZfX+KJaqN7FcDs3wt61KHDcXhJjRt9xF04n7YQ==", "Server Signature": "hC+LRMyAIJunmtMIu5I/w2LCWhOXeyX1wM1Jgx8R5x3F4vzwVXusfKBKRLPEGHkDdVTFJeLHi9NM7o5i+QfANPGHTjYWUtPy8RsDP2BxcRbbLg5miGJniglJeGE5JLFn1kgXea7sRepu2rmDh6QBlqjeSZjg4J6S60Mvnykmq1a+/mqyItTWmRV/enOdTbRdn+dgipoHrz+IoFJLEGiBhjEu7ozXx6UngcRkRR9GWbYRjselqpFXDadztoJJc4qGEd/tJSRhH3xAPnSmpYXGOQWc0Puj+uMMkrPd4Fl1iME/qEugzyYyPsaWkrxS4iaftLceFUbjLT1mfgFzE3c4LqZ4MQNsf52WXUiC/ib0MPMCdr9Sj9aPcebqRDsg+KGQy+uTfxme4hpfG5RCZeUGj6HeFnNW2nxObSqeeL6xcSBwYHblzpiPs0Nk/BASXdP0y+QL0/bjoDApXtoVQ90p4vjuo6Ox7wBiIiTVnvPcxHzdqdoJ1oBL1YOm54xBadxdC3wVzgE33qFzHv2aCJ6JhuQXziw6VUJuJH6BGE7Cj/AzQThMikof7pWxjm9Y9dtVWMgTnvk/hMGs+QrhI0MTV2FSvXflflZXRoBPYTFXeNMAa+qicoiD4tEcBGSVzHR+HnNZoxmj4y0WnCfxTQSJy74tlk+UmZpvBiv70kTd6R0="}
Multi AV Scanner detection for submitted file
Source: LZazJikRId.exe ReversingLabs: Detection: 78%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LZazJikRId.exe Joe Sandbox ML: detected
Source: LZazJikRId.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 172.111.216.199:7707 -> 192.168.2.4:49736
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 172.111.216.199:7707 -> 192.168.2.4:49736
Yara detected Generic Downloader
Source: Yara match File source: LZazJikRId.exe, type: SAMPLE
Source: Yara match File source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: dgorijan20785.hopto.org
Source: audiodrv.exe, 00000009.00000002.3018371066.000000001AEC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: audiodrv.exe, 00000009.00000002.3016881267.000000001AD94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: LZazJikRId.exe, 00000000.00000002.1991905089.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, audiodrv.exe, 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: LZazJikRId.exe, type: SAMPLE
Source: Yara match File source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: 00 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1991905089.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Code function: 9_2_00007FFD9B8B6806 9_2_00007FFD9B8B6806
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Code function: 9_2_00007FFD9B8B75B2 9_2_00007FFD9B8B75B2
Sample file is different than original file name gathered from version info
Source: LZazJikRId.exe, 00000000.00000000.1748613877.000000000026E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStub.exe" vs LZazJikRId.exe
Source: LZazJikRId.exe Binary or memory string: OriginalFilenameStub.exe" vs LZazJikRId.exe
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1991905089.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: LZazJikRId.exe, Settings.cs Base64 encoded string: 'uz2D1dRKo4gLaV5vK3OKpUgza4igRZhCm0/80TomA6YxHyK4g20astNKuCpzEYH0TttVhaC34GYGL5W2s85Qjw==', 'IeC/t0fCkuFIJFP+7cNT5b+0WjcL4URFPsNK3p5N+xq3OQpRrb5Gve93WHr0M/hlXdFSIIBZVVWGRBfK3yvZvg==', 'OPeiqOatznY2GUWcOk9A+luLSHOje7e/VdEmLMURYv2wvkXgHxpMzY9JSakiAEQ8px5MTwsovvuM3cTic55xY7T+5q2RcGWoiXwQ6wm2u5D4HXPeeRyID20LTK9FsfDbfn+3vVUcShbNVePntnZmQCKouEe56tP1rfMJDK0swaewmNbIGhVb7HqHGtfyMrLkcFbi7IySdoOPHh93IB4eK0JnQG3lfx80z7KcXIE4QPIq/dlDNafphQxRxTMoghn0pCWuVYpHfJaEwfD3HDyhigzlIjNKqLv9O7N0Z5HCCFbC2gXCV4ExBw5ENDcre5o1xFHNYjC1tvUYwhSrEdFDAQKVwzxMt8dLWn4jIAub9RgF21ZoF/Eh28JDprP3dDK70sZ+v37gpGRI15HCWIuasurQlcHjK+TvlTm/eZBDgJ4Q/FPHNSnrNd/cdyTDeJ7dmzg0s8fgKKYL/btEkKJD2dg7odsMLND2eqftUnqhxE+ynH+4qhUAQwJIP+9eF6Z+66IrI8zVyZ7Wmx4tPunOx0jqMmwiaYjFqE1YC5v1sbnBFjIlrE2Fllbs7WihonRmfCwgKWC4+E6MLD1wa795hMx8fWYM4O9+7dnUM8OYZPX5xXm+ZBqq5xt3XZySRnCBzBVDftshB6IDzUD9Gq0EZ8XI0muqZyxDniUjerUkoVPKDEDytpBn5w18745kvsBWInynbGKFw1Beuc9jlGcOxTch45sXYvhRGqTLgwBLYwEX82RGNz87UkIF7Io7vbQslUBHFletp0CUXCYUmO6kMziF4nU67cgXKRje26pAkXpxtxX2uS781c1OR2zNW4sn/LB/iE16+vp1B1ld67oi5ptT/ujuujaasLed+oruYQv5OyF4KVSL9lE/1w4AMcsgXFNWg4CKFr9bIvPpsz2yB2OnEsEYVsx/DRtdaGqvb8wCZz1KoQMB/66akrHBjtLYrOSnB/Ci3tPixrwEX+uSzYX1PZ/VlXvmHBWxvaSR9twCO9rPVvSKG4RiTBuXHp5HYJJZUw0HjL4CyyIu1LkNAUHwhaHRcVH+0Ig5PVUKeBDvJYajkacL1IlN+4fljz7vHOMWtwqO0HWec/UaQO4CLlqKG7VSKhkJ5VONPyVMMogLxHcWtbPhPGQUkF/9z44VSXtN8vkhUZKKRIL7TsnN5irCO9pY4P4nPslaH/yyQULI62KPU8Ax7j/uMODU7ZebJ5bTHJlmPbRvt0pGQoEuY7hxqm/5KoVVar5gj/OhqJipuxybtsPMlzRRZf4Sh2sqtPVLNhOs1XDrgTY73xm3uGm2ay60ij6jxoK5RrIM12xPA0xnen1IsAg0PsXUeUwwCwUhJtrIpLTgZRL9hHOaNUl6v1y12Zo6YXr6h5aU8qdTExPYg+WxEIXSrhZKinRuO0p3K+glVLNF4UQOfNT+YPD7fPg6p1tdkvnEb8pfR1qSGCX76xRq1NRRZz8LsCJJi67bd+zYpcduqEm53misr3TMYBH6hUfEQBAcPTAj96uX1YpqwjWrBZc78E/O3bb8iDv4XT82Rj4993uZwkkQHzqbz4TOrNcgmtvMHJyir8TidF1poMjGNTvkO9RuhNai90rY+nZCJCM+sC3uChbkdosZrvhqpY3hBFFVAA4UiXL0dqcO2kmy/jsI3V+3FSLVMQVfu6FmYa55BnE/tU2+YwRU/K5IJpMScYvRH3wG4IcpLk7uu0mBWIf8Wr+Ci9HwNf7BBAs1LyTfgcBzkNMt6MSpkz0IFQlpFHqbuFlq96SUu+wjlOOB4Lk1NT20S2nh1Xp4oZznLbVNNGHvf2rjw5xfmp4Rn3uF+RS1wC7PdDunoCqm4B9NdXAYfROA/ZhVly8T+B33upTdNiMTDGBWp1FApsn5HH3isbDKPw4lihPol9M6eyd2ZKq6ZL1VrLWzdEOEHUfElsxRMGIzmh3/1yYg6Yq/N6vYogPEmWiDOKhg+rYszspGf9u1rMn7dkZJxsSUIWzDft+Q87g4lx4e/7xRt/z9yXeNPNi4kYQJz2Gy6CiSuk4zWTeIFq6AlESedS+IBZ07Hl6Ik8ueEk7dYpBA+6OW49qghKT6Jigicz3CRxPohHNDsI+Msba++vrGhkXBjqt75JRAef0E0JqRjN8hAFBRPy0Kp1Y+a/Dnj8bmJkGbXDqisRNj//dFpkl063fxN7JiCu7qk5EZNmM3f2JUXDHtP5TDx0Q0wE0V7f0TqepTkwnPQZng9SxedfPCQzIQLnCf6shT+TbhCTPkGAjQpx/T2Z4KlKN9Jzv1UOH5DKTDYxR+aZ0cauBIIPycU0zyGZ3EA9S+CYzmILHGbV5Ohv58WBI0f0kyfea3e/Q=', 'Mke0l8dmA0+iRD7Zqkb6sk/Rn2rDjjBB+o3e5SXv99TuIGfnfYqTb217kNmBCYTJammd7kNkRHrsIcD0Ic6LQ+NOPpk3I3Ck1ne+n0WotdpKVSCfSyLuClqIDBpiWuSPv0QAy2Y8HPVFO4lg74XW4mksek3Rx7ivW+aXPi3bDioG3OvqmvXIDbIij4++ujXr41eHrcK+LTZdSYU9aPlfhm+6BCllUPRjJHWUSjuY07PhSeEFvbCMKurPRndKfoV9th1b3QZZAQvVBN0C+mM+bmgg4y8uutzJR8H90QUPPZmCPlIOGJ/ym2TvEN/oi5FZDfWfQHAsjnzBM0DPk5wWoWv+aSrioX1vM4wO2Tpfxi3mYBM16+5y7dx+XxZ0m1oVsWL6MvvsG71/Y2sPpJpveXCRMEHSvGMdyCiAViXA0b1K3zts+PqpLRdakHc48CrsEX++qWH++89Kbhu
Source: audiodrv.exe.0.dr, Settings.cs Base64 encoded string: 'uz2D1dRKo4gLaV5vK3OKpUgza4igRZhCm0/80TomA6YxHyK4g20astNKuCpzEYH0TttVhaC34GYGL5W2s85Qjw==', 'IeC/t0fCkuFIJFP+7cNT5b+0WjcL4URFPsNK3p5N+xq3OQpRrb5Gve93WHr0M/hlXdFSIIBZVVWGRBfK3yvZvg==', 'OPeiqOatznY2GUWcOk9A+luLSHOje7e/VdEmLMURYv2wvkXgHxpMzY9JSakiAEQ8px5MTwsovvuM3cTic55xY7T+5q2RcGWoiXwQ6wm2u5D4HXPeeRyID20LTK9FsfDbfn+3vVUcShbNVePntnZmQCKouEe56tP1rfMJDK0swaewmNbIGhVb7HqHGtfyMrLkcFbi7IySdoOPHh93IB4eK0JnQG3lfx80z7KcXIE4QPIq/dlDNafphQxRxTMoghn0pCWuVYpHfJaEwfD3HDyhigzlIjNKqLv9O7N0Z5HCCFbC2gXCV4ExBw5ENDcre5o1xFHNYjC1tvUYwhSrEdFDAQKVwzxMt8dLWn4jIAub9RgF21ZoF/Eh28JDprP3dDK70sZ+v37gpGRI15HCWIuasurQlcHjK+TvlTm/eZBDgJ4Q/FPHNSnrNd/cdyTDeJ7dmzg0s8fgKKYL/btEkKJD2dg7odsMLND2eqftUnqhxE+ynH+4qhUAQwJIP+9eF6Z+66IrI8zVyZ7Wmx4tPunOx0jqMmwiaYjFqE1YC5v1sbnBFjIlrE2Fllbs7WihonRmfCwgKWC4+E6MLD1wa795hMx8fWYM4O9+7dnUM8OYZPX5xXm+ZBqq5xt3XZySRnCBzBVDftshB6IDzUD9Gq0EZ8XI0muqZyxDniUjerUkoVPKDEDytpBn5w18745kvsBWInynbGKFw1Beuc9jlGcOxTch45sXYvhRGqTLgwBLYwEX82RGNz87UkIF7Io7vbQslUBHFletp0CUXCYUmO6kMziF4nU67cgXKRje26pAkXpxtxX2uS781c1OR2zNW4sn/LB/iE16+vp1B1ld67oi5ptT/ujuujaasLed+oruYQv5OyF4KVSL9lE/1w4AMcsgXFNWg4CKFr9bIvPpsz2yB2OnEsEYVsx/DRtdaGqvb8wCZz1KoQMB/66akrHBjtLYrOSnB/Ci3tPixrwEX+uSzYX1PZ/VlXvmHBWxvaSR9twCO9rPVvSKG4RiTBuXHp5HYJJZUw0HjL4CyyIu1LkNAUHwhaHRcVH+0Ig5PVUKeBDvJYajkacL1IlN+4fljz7vHOMWtwqO0HWec/UaQO4CLlqKG7VSKhkJ5VONPyVMMogLxHcWtbPhPGQUkF/9z44VSXtN8vkhUZKKRIL7TsnN5irCO9pY4P4nPslaH/yyQULI62KPU8Ax7j/uMODU7ZebJ5bTHJlmPbRvt0pGQoEuY7hxqm/5KoVVar5gj/OhqJipuxybtsPMlzRRZf4Sh2sqtPVLNhOs1XDrgTY73xm3uGm2ay60ij6jxoK5RrIM12xPA0xnen1IsAg0PsXUeUwwCwUhJtrIpLTgZRL9hHOaNUl6v1y12Zo6YXr6h5aU8qdTExPYg+WxEIXSrhZKinRuO0p3K+glVLNF4UQOfNT+YPD7fPg6p1tdkvnEb8pfR1qSGCX76xRq1NRRZz8LsCJJi67bd+zYpcduqEm53misr3TMYBH6hUfEQBAcPTAj96uX1YpqwjWrBZc78E/O3bb8iDv4XT82Rj4993uZwkkQHzqbz4TOrNcgmtvMHJyir8TidF1poMjGNTvkO9RuhNai90rY+nZCJCM+sC3uChbkdosZrvhqpY3hBFFVAA4UiXL0dqcO2kmy/jsI3V+3FSLVMQVfu6FmYa55BnE/tU2+YwRU/K5IJpMScYvRH3wG4IcpLk7uu0mBWIf8Wr+Ci9HwNf7BBAs1LyTfgcBzkNMt6MSpkz0IFQlpFHqbuFlq96SUu+wjlOOB4Lk1NT20S2nh1Xp4oZznLbVNNGHvf2rjw5xfmp4Rn3uF+RS1wC7PdDunoCqm4B9NdXAYfROA/ZhVly8T+B33upTdNiMTDGBWp1FApsn5HH3isbDKPw4lihPol9M6eyd2ZKq6ZL1VrLWzdEOEHUfElsxRMGIzmh3/1yYg6Yq/N6vYogPEmWiDOKhg+rYszspGf9u1rMn7dkZJxsSUIWzDft+Q87g4lx4e/7xRt/z9yXeNPNi4kYQJz2Gy6CiSuk4zWTeIFq6AlESedS+IBZ07Hl6Ik8ueEk7dYpBA+6OW49qghKT6Jigicz3CRxPohHNDsI+Msba++vrGhkXBjqt75JRAef0E0JqRjN8hAFBRPy0Kp1Y+a/Dnj8bmJkGbXDqisRNj//dFpkl063fxN7JiCu7qk5EZNmM3f2JUXDHtP5TDx0Q0wE0V7f0TqepTkwnPQZng9SxedfPCQzIQLnCf6shT+TbhCTPkGAjQpx/T2Z4KlKN9Jzv1UOH5DKTDYxR+aZ0cauBIIPycU0zyGZ3EA9S+CYzmILHGbV5Ohv58WBI0f0kyfea3e/Q=', 'Mke0l8dmA0+iRD7Zqkb6sk/Rn2rDjjBB+o3e5SXv99TuIGfnfYqTb217kNmBCYTJammd7kNkRHrsIcD0Ic6LQ+NOPpk3I3Ck1ne+n0WotdpKVSCfSyLuClqIDBpiWuSPv0QAy2Y8HPVFO4lg74XW4mksek3Rx7ivW+aXPi3bDioG3OvqmvXIDbIij4++ujXr41eHrcK+LTZdSYU9aPlfhm+6BCllUPRjJHWUSjuY07PhSeEFvbCMKurPRndKfoV9th1b3QZZAQvVBN0C+mM+bmgg4y8uutzJR8H90QUPPZmCPlIOGJ/ym2TvEN/oi5FZDfWfQHAsjnzBM0DPk5wWoWv+aSrioX1vM4wO2Tpfxi3mYBM16+5y7dx+XxZ0m1oVsWL6MvvsG71/Y2sPpJpveXCRMEHSvGMdyCiAViXA0b1K3zts+PqpLRdakHc48CrsEX++qWH++89Kbhu
Source: audiodrv.exe.0.dr, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: audiodrv.exe.0.dr, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: LZazJikRId.exe, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: LZazJikRId.exe, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/4@1/1
Source: C:\Users\user\Desktop\LZazJikRId.exe File created: C:\Users\user\AppData\Roaming\audiodrv.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Mutant created: \Sessions\1\BaseNamedObjects\v5tvc4rc3ex788
Source: C:\Users\user\Desktop\LZazJikRId.exe File created: C:\Users\user\AppData\Local\Temp\tmpD41E.tmp Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""
Source: LZazJikRId.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LZazJikRId.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6892
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2580
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6024
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1956
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3004
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 416
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6448
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5584
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1176
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 396
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7024
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1724
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5576
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3420
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5476
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3848
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2552
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5568
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3404
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3832
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6416
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6844
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2120
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5116
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5544
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3816
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5108
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2088
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1652
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5484
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 356
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5092
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4660
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2500
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5084
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6528
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3788
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6972
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1200
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5936
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6796
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6364
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6744
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4632
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3768
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4196
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2900
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 744
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2036
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6776
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6344
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2892
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 492
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1552
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6824
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4600
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6320
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2008
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 340
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1572
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 708
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3720
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6304
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5440
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6732
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 696
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5460
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5860
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5428
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6720
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6280
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5416
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2396
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6700
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4544
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2388
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5404
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1940
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1948
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6356
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7108
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6676
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1932
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1496
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6236
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4340
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6664
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 628
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1488
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5796
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7088
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6656
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4500
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 620
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6220
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1476
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1044
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3196
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2764
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3192
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7068
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3616
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7044
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6200
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2748
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 592
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4468
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2316
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6620
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4032
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2736
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 364
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6180
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5288
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6176
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6172
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5308
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6600
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4444
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5736
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4872
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2716
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6932
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1852
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 988
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5728
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 552
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5720
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1840
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1408
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2268
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7008
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6576
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6548
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5704
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1824
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6992
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7804
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3536
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1376
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3528
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3524
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6100
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5548
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2216
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 920
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6520
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6164
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 484
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 784
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6868
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3496
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2632
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3924
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7368
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6948
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6504
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2624
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1760
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1328
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 776
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2616
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6060
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1316
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2608
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6268
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4920
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6484
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6908
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6044
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3456
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1296
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 432
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
Source: C:\Users\user\Desktop\LZazJikRId.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LZazJikRId.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\LZazJikRId.exe File read: C:\Users\user\Desktop\LZazJikRId.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LZazJikRId.exe "C:\Users\user\Desktop\LZazJikRId.exe"
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe"
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"' Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe" Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
Source: LZazJikRId.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LZazJikRId.exe Static file information: File size 48978421 > 1048576
Source: LZazJikRId.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains a suspicious time stamp
Source: LZazJikRId.exe Static PE information: 0x8A85AFDB [Mon Aug 24 08:18:35 2043 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LZazJikRId.exe Code function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Code function: 9_2_00007FFD9B8B00BD pushad ; iretd 9_2_00007FFD9B8B00C1
Drops PE files
Source: C:\Users\user\Desktop\LZazJikRId.exe File created: C:\Users\user\AppData\Roaming\audiodrv.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: LZazJikRId.exe, type: SAMPLE
Source: Yara match File source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: LZazJikRId.exe, type: SAMPLE
Source: Yara match File source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LZazJikRId.exe, audiodrv.exe.0.dr Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LZazJikRId.exe Memory allocated: 8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Memory allocated: 1A590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Memory allocated: 20C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Memory allocated: 1A230000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LZazJikRId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Window / User API: threadDelayed 8791 Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Window / User API: threadDelayed 913 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LZazJikRId.exe TID: 7284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe TID: 7956 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LZazJikRId.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: audiodrv.exe.0.dr Binary or memory string: vmware
Source: audiodrv.exe, 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: C:\Users\user\Desktop\LZazJikRId.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LZazJikRId.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"' Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LZazJikRId.exe Queries volume information: C:\Users\user\Desktop\LZazJikRId.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\audiodrv.exe Queries volume information: C:\Users\user\AppData\Roaming\audiodrv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LZazJikRId.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: LZazJikRId.exe, type: SAMPLE
Source: Yara match File source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\audiodrv.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427019 Sample: LZazJikRId.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 30 dgorijan20785.hopto.org 2->30 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 8 LZazJikRId.exe 7 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Roaming\audiodrv.exe, PE32 8->26 dropped 46 Protects its processes via BreakOnTermination flag 8->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 8->48 12 cmd.exe 1 8->12         started        14 schtasks.exe 1 8->14         started        signatures6 process7 process8 16 audiodrv.exe 1 2 12->16         started        20 conhost.exe 12->20         started        22 timeout.exe 1 12->22         started        24 conhost.exe 14->24         started        dnsIp9 28 dgorijan20785.hopto.org 172.111.216.199, 49736, 7707 M247GB United States 16->28 32 Antivirus detection for dropped file 16->32 34 Protects its processes via BreakOnTermination flag 16->34 36 Machine Learning detection for dropped file 16->36 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.111.216.199
 dgorijan20785.hopto.org United States
9009 M247GB true

Contacted Domains

Name IP Active
dgorijan20785.hopto.org 172.111.216.199 true