Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LZazJikRId.exe

Overview

General Information

Sample name:LZazJikRId.exe
renamed because original name is a hash value
Original sample name:4410dbdf8f12dfbf1f165276c42444fe.exe
Analysis ID:1427019
MD5:4410dbdf8f12dfbf1f165276c42444fe
SHA1:41636f267072fec4554293c8d6abe148e1e67cc6
SHA256:61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LZazJikRId.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\LZazJikRId.exe" MD5: 4410DBDF8F12DFBF1F165276C42444FE)
    • schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7728 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7780 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • audiodrv.exe (PID: 7804 cmdline: "C:\Users\user\AppData\Roaming\audiodrv.exe" MD5: B650EE637C386E63F318CFF98A1F4A7A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["6606", "7707", "8808"], "Server": ["dgorijan20785.hopto.org"], "Version": "0.5.6A", "Mutex": "v5tvc4rc3ex788", "Certificate": "MIIE8jCCAtqgAwIBAgIQAKCvtX6x4GWUjdDXmrjDSzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwMjI3MTc1MDE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJWZrleM/elp6VQ5BNFXmHujEc6VYshScV5BjcC3RzsRwJJDOdN11KsItwYXo/V9MyRkcRg6sv4d5VV5VXICM28b5foqtB99ZROKxA/me7xsL+fr2wZ5E0mI0G1hiX+OCrKE1IfWu0KaI0aZXVVZkTjUuTzsgxcs1MgHKC2PenKfpx1x0U7q9FmsJAmXawMfFL4s0D+vSpxdBaJCn2ZwjYBOOOWdFUIuFJi8dbCL4oj4oNW4G0nBmCPeWQMpL3bMi43d3vM28wWdUOdiGiuUtHE+XUHQ7uxhw5QKsMaUz27t/+0kThrzLtn8daGgBjRpMg6wJqX6vmCZ9dAeYRhxy0hD8qJ6AugXnr6sOfTHUMZx0R+FoZBeUDiJ7xnVR8rP2/koXlCr0M7GRmLBgu/Q1mhQFRvVJJXoKUtzglU68JgQZWRAKK5TtAs6AKDO6O11HIg5oGYPdbh9QlEmMCCsQk1qdHFnrtsEZPC1by4bXpahbDI/VSg92uAahtAfrXqGgcoZG0oJQ2ZEp/oI5WTcDcMeYY6WkcZDiybV610+4Qhkh0+/9Vx8o5hqACEha+P4Y4+v24wLiW8IZOh/RvBRbK3ECqKn8IHcIRqQ1vEi5xIGRhpF0Qjr5XXKufQA2pYMDU1E6bTT5SjeNwSf8JXV96DZxwt/yDVXWkmJgh7+ZiB5AgMBAAGjMjAwMB0GA1UdDgQWBBSbnCsk+Il5H1ptmgszq/o+lfWgljAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBYXPPqc8VSTyuHNBzV8jZ8OhnVkba36kyTgkMezu7u30RC4+yxkCHzKs6D6iN/MipePwZ7PhCCB/U11G5uPehKk3r8NotgWNrWJK7OadRBgOlX4mw3mihLmvn90+RRZNsFOPMAYstr9ERI7Wqm/aYhLc23h+0PdL8BNjn4z+crPdGqRNAICw/wMF9z+KJ34sYFNJjCaJWUqP7cxF5KjtPQ1jJCCqywKJd/D+StJTSybp4i34jWEnhpNGuWYFZGIHIXspf8XxTItzEDym05HVc8aI5ZmsvI+6K/VhPnqc/UG1anDFaLlE458/RZj9rCRlTGPml8VIhSheY19bjqCjILrY5tm8QOwZTONYeZQGNwyZ6J7wn+KtOfGvQqIFphkoHkBQGie47Jb441vVs17pfd83MrBMRcyHW6yWaBS56dRGPYcTA04FSbMYiMBaJkN8Hx1Nn3AF5QiuSplkRrup2wmtfLNhfVVZJsIGks65bzgDOU0JhmN9ODDNeIm0nQzRuQ18efT+3ffzIBcx++ufuoX0l/kRcB4H+XbtCcsP3zYysPSWZpC2tW4VqOHLjdbyTHSFi0BhY2uESl9F3Ts0zxbWMkYj4ZJTuxMreLDuwVlbSjxbEIg6jC1jC9T94koGjaQjjQZfX+KJaqN7FcDs3wt61KHDcXhJjRt9xF04n7YQ==", "Server Signature": "hC+LRMyAIJunmtMIu5I/w2LCWhOXeyX1wM1Jgx8R5x3F4vzwVXusfKBKRLPEGHkDdVTFJeLHi9NM7o5i+QfANPGHTjYWUtPy8RsDP2BxcRbbLg5miGJniglJeGE5JLFn1kgXea7sRepu2rmDh6QBlqjeSZjg4J6S60Mvnykmq1a+/mqyItTWmRV/enOdTbRdn+dgipoHrz+IoFJLEGiBhjEu7ozXx6UngcRkRR9GWbYRjselqpFXDadztoJJc4qGEd/tJSRhH3xAPnSmpYXGOQWc0Puj+uMMkrPd4Fl1iME/qEugzyYyPsaWkrxS4iaftLceFUbjLT1mfgFzE3c4LqZ4MQNsf52WXUiC/ib0MPMCdr9Sj9aPcebqRDsg+KGQy+uTfxme4hpfG5RCZeUGj6HeFnNW2nxObSqeeL6xcSBwYHblzpiPs0Nk/BASXdP0y+QL0/bjoDApXtoVQ90p4vjuo6Ox7wBiIiTVnvPcxHzdqdoJ1oBL1YOm54xBadxdC3wVzgE33qFzHv2aCJ6JhuQXziw6VUJuJH6BGE7Cj/AzQThMikof7pWxjm9Y9dtVWMgTnvk/hMGs+QrhI0MTV2FSvXflflZXRoBPYTFXeNMAa+qicoiD4tEcBGSVzHR+HnNZoxmj4y0WnCfxTQSJy74tlk+UmZpvBiv70kTd6R0="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LZazJikRId.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    LZazJikRId.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x3101c:$x1: AsyncRAT
      • 0x3105a:$x1: AsyncRAT

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\audiodrv.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Roaming\audiodrv.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x696b:$x1: AsyncRAT
          • 0x69a9:$x1: AsyncRAT
          00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x941e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x133af:$x1: AsyncRAT
            • 0x133ed:$x1: AsyncRAT
            00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x477ab:$x1: AsyncRAT
            • 0x477e9:$x1: AsyncRAT
            • 0x16cc0:$s4: Stub.exe
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.LZazJikRId.exe.260000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.LZazJikRId.exe.260000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.LZazJikRId.exe.260000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0x961e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"', CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"', CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LZazJikRId.exe", ParentImage: C:\Users\user\Desktop\LZazJikRId.exe, ParentProcessId: 7260, ParentProcessName: LZazJikRId.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"', ProcessId: 7676, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:04/16/24-22:17:55.099629
                SID:2030673
                Source Port:7707
                Destination Port:49736
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/16/24-22:17:55.099629
                SID:2035595
                Source Port:7707
                Destination Port:49736
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: LZazJikRId.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Found malware configuration
                Source: LZazJikRId.exeMalware Configuration Extractor: AsyncRAT {"Ports": ["6606", "7707", "8808"], "Server": ["dgorijan20785.hopto.org"], "Version": "0.5.6A", "Mutex": "v5tvc4rc3ex788", "Certificate": "MIIE8jCCAtqgAwIBAgIQAKCvtX6x4GWUjdDXmrjDSzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwMjI3MTc1MDE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJWZrleM/elp6VQ5BNFXmHujEc6VYshScV5BjcC3RzsRwJJDOdN11KsItwYXo/V9MyRkcRg6sv4d5VV5VXICM28b5foqtB99ZROKxA/me7xsL+fr2wZ5E0mI0G1hiX+OCrKE1IfWu0KaI0aZXVVZkTjUuTzsgxcs1MgHKC2PenKfpx1x0U7q9FmsJAmXawMfFL4s0D+vSpxdBaJCn2ZwjYBOOOWdFUIuFJi8dbCL4oj4oNW4G0nBmCPeWQMpL3bMi43d3vM28wWdUOdiGiuUtHE+XUHQ7uxhw5QKsMaUz27t/+0kThrzLtn8daGgBjRpMg6wJqX6vmCZ9dAeYRhxy0hD8qJ6AugXnr6sOfTHUMZx0R+FoZBeUDiJ7xnVR8rP2/koXlCr0M7GRmLBgu/Q1mhQFRvVJJXoKUtzglU68JgQZWRAKK5TtAs6AKDO6O11HIg5oGYPdbh9QlEmMCCsQk1qdHFnrtsEZPC1by4bXpahbDI/VSg92uAahtAfrXqGgcoZG0oJQ2ZEp/oI5WTcDcMeYY6WkcZDiybV610+4Qhkh0+/9Vx8o5hqACEha+P4Y4+v24wLiW8IZOh/RvBRbK3ECqKn8IHcIRqQ1vEi5xIGRhpF0Qjr5XXKufQA2pYMDU1E6bTT5SjeNwSf8JXV96DZxwt/yDVXWkmJgh7+ZiB5AgMBAAGjMjAwMB0GA1UdDgQWBBSbnCsk+Il5H1ptmgszq/o+lfWgljAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBYXPPqc8VSTyuHNBzV8jZ8OhnVkba36kyTgkMezu7u30RC4+yxkCHzKs6D6iN/MipePwZ7PhCCB/U11G5uPehKk3r8NotgWNrWJK7OadRBgOlX4mw3mihLmvn90+RRZNsFOPMAYstr9ERI7Wqm/aYhLc23h+0PdL8BNjn4z+crPdGqRNAICw/wMF9z+KJ34sYFNJjCaJWUqP7cxF5KjtPQ1jJCCqywKJd/D+StJTSybp4i34jWEnhpNGuWYFZGIHIXspf8XxTItzEDym05HVc8aI5ZmsvI+6K/VhPnqc/UG1anDFaLlE458/RZj9rCRlTGPml8VIhSheY19bjqCjILrY5tm8QOwZTONYeZQGNwyZ6J7wn+KtOfGvQqIFphkoHkBQGie47Jb441vVs17pfd83MrBMRcyHW6yWaBS56dRGPYcTA04FSbMYiMBaJkN8Hx1Nn3AF5QiuSplkRrup2wmtfLNhfVVZJsIGks65bzgDOU0JhmN9ODDNeIm0nQzRuQ18efT+3ffzIBcx++ufuoX0l/kRcB4H+XbtCcsP3zYysPSWZpC2tW4VqOHLjdbyTHSFi0BhY2uESl9F3Ts0zxbWMkYj4ZJTuxMreLDuwVlbSjxbEIg6jC1jC9T94koGjaQjjQZfX+KJaqN7FcDs3wt61KHDcXhJjRt9xF04n7YQ==", "Server Signature": "hC+LRMyAIJunmtMIu5I/w2LCWhOXeyX1wM1Jgx8R5x3F4vzwVXusfKBKRLPEGHkDdVTFJeLHi9NM7o5i+QfANPGHTjYWUtPy8RsDP2BxcRbbLg5miGJniglJeGE5JLFn1kgXea7sRepu2rmDh6QBlqjeSZjg4J6S60Mvnykmq1a+/mqyItTWmRV/enOdTbRdn+dgipoHrz+IoFJLEGiBhjEu7ozXx6UngcRkRR9GWbYRjselqpFXDadztoJJc4qGEd/tJSRhH3xAPnSmpYXGOQWc0Puj+uMMkrPd4Fl1iME/qEugzyYyPsaWkrxS4iaftLceFUbjLT1mfgFzE3c4LqZ4MQNsf52WXUiC/ib0MPMCdr9Sj9aPcebqRDsg+KGQy+uTfxme4hpfG5RCZeUGj6HeFnNW2nxObSqeeL6xcSBwYHblzpiPs0Nk/BASXdP0y+QL0/bjoDApXtoVQ90p4vjuo6Ox7wBiIiTVnvPcxHzdqdoJ1oBL1YOm54xBadxdC3wVzgE33qFzHv2aCJ6JhuQXziw6VUJuJH6BGE7Cj/AzQThMikof7pWxjm9Y9dtVWMgTnvk/hMGs+QrhI0MTV2FSvXflflZXRoBPYTFXeNMAa+qicoiD4tEcBGSVzHR+HnNZoxmj4y0WnCfxTQSJy74tlk+UmZpvBiv70kTd6R0="}
                Multi AV Scanner detection for submitted file
                Source: LZazJikRId.exeReversingLabs: Detection: 78%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: LZazJikRId.exeJoe Sandbox ML: detected
                Source: LZazJikRId.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 172.111.216.199:7707 -> 192.168.2.4:49736
                Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 172.111.216.199:7707 -> 192.168.2.4:49736
                Yara detected Generic Downloader
                Source: Yara matchFile source: LZazJikRId.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownDNS traffic detected: queries for: dgorijan20785.hopto.org
                Source: audiodrv.exe, 00000009.00000002.3018371066.000000001AEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: audiodrv.exe, 00000009.00000002.3016881267.000000001AD94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: LZazJikRId.exe, 00000000.00000002.1991905089.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, audiodrv.exe, 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: LZazJikRId.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: 00 00 00 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1991905089.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeCode function: 9_2_00007FFD9B8B68069_2_00007FFD9B8B6806
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeCode function: 9_2_00007FFD9B8B75B29_2_00007FFD9B8B75B2
                Source: LZazJikRId.exe, 00000000.00000000.1748613877.000000000026E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs LZazJikRId.exe
                Source: LZazJikRId.exeBinary or memory string: OriginalFilenameStub.exe" vs LZazJikRId.exe
                Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1991905089.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: LZazJikRId.exe, Settings.csBase64 encoded string: 'uz2D1dRKo4gLaV5vK3OKpUgza4igRZhCm0/80TomA6YxHyK4g20astNKuCpzEYH0TttVhaC34GYGL5W2s85Qjw==', 'IeC/t0fCkuFIJFP+7cNT5b+0WjcL4URFPsNK3p5N+xq3OQpRrb5Gve93WHr0M/hlXdFSIIBZVVWGRBfK3yvZvg==', 'OPeiqOatznY2GUWcOk9A+luLSHOje7e/VdEmLMURYv2wvkXgHxpMzY9JSakiAEQ8px5MTwsovvuM3cTic55xY7T+5q2RcGWoiXwQ6wm2u5D4HXPeeRyID20LTK9FsfDbfn+3vVUcShbNVePntnZmQCKouEe56tP1rfMJDK0swaewmNbIGhVb7HqHGtfyMrLkcFbi7IySdoOPHh93IB4eK0JnQG3lfx80z7KcXIE4QPIq/dlDNafphQxRxTMoghn0pCWuVYpHfJaEwfD3HDyhigzlIjNKqLv9O7N0Z5HCCFbC2gXCV4ExBw5ENDcre5o1xFHNYjC1tvUYwhSrEdFDAQKVwzxMt8dLWn4jIAub9RgF21ZoF/Eh28JDprP3dDK70sZ+v37gpGRI15HCWIuasurQlcHjK+TvlTm/eZBDgJ4Q/FPHNSnrNd/cdyTDeJ7dmzg0s8fgKKYL/btEkKJD2dg7odsMLND2eqftUnqhxE+ynH+4qhUAQwJIP+9eF6Z+66IrI8zVyZ7Wmx4tPunOx0jqMmwiaYjFqE1YC5v1sbnBFjIlrE2Fllbs7WihonRmfCwgKWC4+E6MLD1wa795hMx8fWYM4O9+7dnUM8OYZPX5xXm+ZBqq5xt3XZySRnCBzBVDftshB6IDzUD9Gq0EZ8XI0muqZyxDniUjerUkoVPKDEDytpBn5w18745kvsBWInynbGKFw1Beuc9jlGcOxTch45sXYvhRGqTLgwBLYwEX82RGNz87UkIF7Io7vbQslUBHFletp0CUXCYUmO6kMziF4nU67cgXKRje26pAkXpxtxX2uS781c1OR2zNW4sn/LB/iE16+vp1B1ld67oi5ptT/ujuujaasLed+oruYQv5OyF4KVSL9lE/1w4AMcsgXFNWg4CKFr9bIvPpsz2yB2OnEsEYVsx/DRtdaGqvb8wCZz1KoQMB/66akrHBjtLYrOSnB/Ci3tPixrwEX+uSzYX1PZ/VlXvmHBWxvaSR9twCO9rPVvSKG4RiTBuXHp5HYJJZUw0HjL4CyyIu1LkNAUHwhaHRcVH+0Ig5PVUKeBDvJYajkacL1IlN+4fljz7vHOMWtwqO0HWec/UaQO4CLlqKG7VSKhkJ5VONPyVMMogLxHcWtbPhPGQUkF/9z44VSXtN8vkhUZKKRIL7TsnN5irCO9pY4P4nPslaH/yyQULI62KPU8Ax7j/uMODU7ZebJ5bTHJlmPbRvt0pGQoEuY7hxqm/5KoVVar5gj/OhqJipuxybtsPMlzRRZf4Sh2sqtPVLNhOs1XDrgTY73xm3uGm2ay60ij6jxoK5RrIM12xPA0xnen1IsAg0PsXUeUwwCwUhJtrIpLTgZRL9hHOaNUl6v1y12Zo6YXr6h5aU8qdTExPYg+WxEIXSrhZKinRuO0p3K+glVLNF4UQOfNT+YPD7fPg6p1tdkvnEb8pfR1qSGCX76xRq1NRRZz8LsCJJi67bd+zYpcduqEm53misr3TMYBH6hUfEQBAcPTAj96uX1YpqwjWrBZc78E/O3bb8iDv4XT82Rj4993uZwkkQHzqbz4TOrNcgmtvMHJyir8TidF1poMjGNTvkO9RuhNai90rY+nZCJCM+sC3uChbkdosZrvhqpY3hBFFVAA4UiXL0dqcO2kmy/jsI3V+3FSLVMQVfu6FmYa55BnE/tU2+YwRU/K5IJpMScYvRH3wG4IcpLk7uu0mBWIf8Wr+Ci9HwNf7BBAs1LyTfgcBzkNMt6MSpkz0IFQlpFHqbuFlq96SUu+wjlOOB4Lk1NT20S2nh1Xp4oZznLbVNNGHvf2rjw5xfmp4Rn3uF+RS1wC7PdDunoCqm4B9NdXAYfROA/ZhVly8T+B33upTdNiMTDGBWp1FApsn5HH3isbDKPw4lihPol9M6eyd2ZKq6ZL1VrLWzdEOEHUfElsxRMGIzmh3/1yYg6Yq/N6vYogPEmWiDOKhg+rYszspGf9u1rMn7dkZJxsSUIWzDft+Q87g4lx4e/7xRt/z9yXeNPNi4kYQJz2Gy6CiSuk4zWTeIFq6AlESedS+IBZ07Hl6Ik8ueEk7dYpBA+6OW49qghKT6Jigicz3CRxPohHNDsI+Msba++vrGhkXBjqt75JRAef0E0JqRjN8hAFBRPy0Kp1Y+a/Dnj8bmJkGbXDqisRNj//dFpkl063fxN7JiCu7qk5EZNmM3f2JUXDHtP5TDx0Q0wE0V7f0TqepTkwnPQZng9SxedfPCQzIQLnCf6shT+TbhCTPkGAjQpx/T2Z4KlKN9Jzv1UOH5DKTDYxR+aZ0cauBIIPycU0zyGZ3EA9S+CYzmILHGbV5Ohv58WBI0f0kyfea3e/Q=', 'Mke0l8dmA0+iRD7Zqkb6sk/Rn2rDjjBB+o3e5SXv99TuIGfnfYqTb217kNmBCYTJammd7kNkRHrsIcD0Ic6LQ+NOPpk3I3Ck1ne+n0WotdpKVSCfSyLuClqIDBpiWuSPv0QAy2Y8HPVFO4lg74XW4mksek3Rx7ivW+aXPi3bDioG3OvqmvXIDbIij4++ujXr41eHrcK+LTZdSYU9aPlfhm+6BCllUPRjJHWUSjuY07PhSeEFvbCMKurPRndKfoV9th1b3QZZAQvVBN0C+mM+bmgg4y8uutzJR8H90QUPPZmCPlIOGJ/ym2TvEN/oi5FZDfWfQHAsjnzBM0DPk5wWoWv+aSrioX1vM4wO2Tpfxi3mYBM16+5y7dx+XxZ0m1oVsWL6MvvsG71/Y2sPpJpveXCRMEHSvGMdyCiAViXA0b1K3zts+PqpLRdakHc48CrsEX++qWH++89Kbhu
                Source: audiodrv.exe.0.dr, Settings.csBase64 encoded string: 'uz2D1dRKo4gLaV5vK3OKpUgza4igRZhCm0/80TomA6YxHyK4g20astNKuCpzEYH0TttVhaC34GYGL5W2s85Qjw==', 'IeC/t0fCkuFIJFP+7cNT5b+0WjcL4URFPsNK3p5N+xq3OQpRrb5Gve93WHr0M/hlXdFSIIBZVVWGRBfK3yvZvg==', 'OPeiqOatznY2GUWcOk9A+luLSHOje7e/VdEmLMURYv2wvkXgHxpMzY9JSakiAEQ8px5MTwsovvuM3cTic55xY7T+5q2RcGWoiXwQ6wm2u5D4HXPeeRyID20LTK9FsfDbfn+3vVUcShbNVePntnZmQCKouEe56tP1rfMJDK0swaewmNbIGhVb7HqHGtfyMrLkcFbi7IySdoOPHh93IB4eK0JnQG3lfx80z7KcXIE4QPIq/dlDNafphQxRxTMoghn0pCWuVYpHfJaEwfD3HDyhigzlIjNKqLv9O7N0Z5HCCFbC2gXCV4ExBw5ENDcre5o1xFHNYjC1tvUYwhSrEdFDAQKVwzxMt8dLWn4jIAub9RgF21ZoF/Eh28JDprP3dDK70sZ+v37gpGRI15HCWIuasurQlcHjK+TvlTm/eZBDgJ4Q/FPHNSnrNd/cdyTDeJ7dmzg0s8fgKKYL/btEkKJD2dg7odsMLND2eqftUnqhxE+ynH+4qhUAQwJIP+9eF6Z+66IrI8zVyZ7Wmx4tPunOx0jqMmwiaYjFqE1YC5v1sbnBFjIlrE2Fllbs7WihonRmfCwgKWC4+E6MLD1wa795hMx8fWYM4O9+7dnUM8OYZPX5xXm+ZBqq5xt3XZySRnCBzBVDftshB6IDzUD9Gq0EZ8XI0muqZyxDniUjerUkoVPKDEDytpBn5w18745kvsBWInynbGKFw1Beuc9jlGcOxTch45sXYvhRGqTLgwBLYwEX82RGNz87UkIF7Io7vbQslUBHFletp0CUXCYUmO6kMziF4nU67cgXKRje26pAkXpxtxX2uS781c1OR2zNW4sn/LB/iE16+vp1B1ld67oi5ptT/ujuujaasLed+oruYQv5OyF4KVSL9lE/1w4AMcsgXFNWg4CKFr9bIvPpsz2yB2OnEsEYVsx/DRtdaGqvb8wCZz1KoQMB/66akrHBjtLYrOSnB/Ci3tPixrwEX+uSzYX1PZ/VlXvmHBWxvaSR9twCO9rPVvSKG4RiTBuXHp5HYJJZUw0HjL4CyyIu1LkNAUHwhaHRcVH+0Ig5PVUKeBDvJYajkacL1IlN+4fljz7vHOMWtwqO0HWec/UaQO4CLlqKG7VSKhkJ5VONPyVMMogLxHcWtbPhPGQUkF/9z44VSXtN8vkhUZKKRIL7TsnN5irCO9pY4P4nPslaH/yyQULI62KPU8Ax7j/uMODU7ZebJ5bTHJlmPbRvt0pGQoEuY7hxqm/5KoVVar5gj/OhqJipuxybtsPMlzRRZf4Sh2sqtPVLNhOs1XDrgTY73xm3uGm2ay60ij6jxoK5RrIM12xPA0xnen1IsAg0PsXUeUwwCwUhJtrIpLTgZRL9hHOaNUl6v1y12Zo6YXr6h5aU8qdTExPYg+WxEIXSrhZKinRuO0p3K+glVLNF4UQOfNT+YPD7fPg6p1tdkvnEb8pfR1qSGCX76xRq1NRRZz8LsCJJi67bd+zYpcduqEm53misr3TMYBH6hUfEQBAcPTAj96uX1YpqwjWrBZc78E/O3bb8iDv4XT82Rj4993uZwkkQHzqbz4TOrNcgmtvMHJyir8TidF1poMjGNTvkO9RuhNai90rY+nZCJCM+sC3uChbkdosZrvhqpY3hBFFVAA4UiXL0dqcO2kmy/jsI3V+3FSLVMQVfu6FmYa55BnE/tU2+YwRU/K5IJpMScYvRH3wG4IcpLk7uu0mBWIf8Wr+Ci9HwNf7BBAs1LyTfgcBzkNMt6MSpkz0IFQlpFHqbuFlq96SUu+wjlOOB4Lk1NT20S2nh1Xp4oZznLbVNNGHvf2rjw5xfmp4Rn3uF+RS1wC7PdDunoCqm4B9NdXAYfROA/ZhVly8T+B33upTdNiMTDGBWp1FApsn5HH3isbDKPw4lihPol9M6eyd2ZKq6ZL1VrLWzdEOEHUfElsxRMGIzmh3/1yYg6Yq/N6vYogPEmWiDOKhg+rYszspGf9u1rMn7dkZJxsSUIWzDft+Q87g4lx4e/7xRt/z9yXeNPNi4kYQJz2Gy6CiSuk4zWTeIFq6AlESedS+IBZ07Hl6Ik8ueEk7dYpBA+6OW49qghKT6Jigicz3CRxPohHNDsI+Msba++vrGhkXBjqt75JRAef0E0JqRjN8hAFBRPy0Kp1Y+a/Dnj8bmJkGbXDqisRNj//dFpkl063fxN7JiCu7qk5EZNmM3f2JUXDHtP5TDx0Q0wE0V7f0TqepTkwnPQZng9SxedfPCQzIQLnCf6shT+TbhCTPkGAjQpx/T2Z4KlKN9Jzv1UOH5DKTDYxR+aZ0cauBIIPycU0zyGZ3EA9S+CYzmILHGbV5Ohv58WBI0f0kyfea3e/Q=', 'Mke0l8dmA0+iRD7Zqkb6sk/Rn2rDjjBB+o3e5SXv99TuIGfnfYqTb217kNmBCYTJammd7kNkRHrsIcD0Ic6LQ+NOPpk3I3Ck1ne+n0WotdpKVSCfSyLuClqIDBpiWuSPv0QAy2Y8HPVFO4lg74XW4mksek3Rx7ivW+aXPi3bDioG3OvqmvXIDbIij4++ujXr41eHrcK+LTZdSYU9aPlfhm+6BCllUPRjJHWUSjuY07PhSeEFvbCMKurPRndKfoV9th1b3QZZAQvVBN0C+mM+bmgg4y8uutzJR8H90QUPPZmCPlIOGJ/ym2TvEN/oi5FZDfWfQHAsjnzBM0DPk5wWoWv+aSrioX1vM4wO2Tpfxi3mYBM16+5y7dx+XxZ0m1oVsWL6MvvsG71/Y2sPpJpveXCRMEHSvGMdyCiAViXA0b1K3zts+PqpLRdakHc48CrsEX++qWH++89Kbhu
                Source: audiodrv.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: audiodrv.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: LZazJikRId.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: LZazJikRId.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.evad.winEXE@12/4@1/1
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile created: C:\Users\user\AppData\Roaming\audiodrv.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeMutant created: \Sessions\1\BaseNamedObjects\v5tvc4rc3ex788
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD41E.tmpJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""
                Source: LZazJikRId.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: LZazJikRId.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6892
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2580
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6024
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1956
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3004
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 416
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6448
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5584
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1176
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 396
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7024
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1724
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5576
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3420
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5476
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3848
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2552
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5568
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3404
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3832
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6416
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6844
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2120
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5116
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5544
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3816
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5108
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2088
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1652
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5484
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 356
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5092
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4660
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2500
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5084
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6528
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3788
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6972
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1200
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5936
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6796
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6364
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6744
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5064
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4632
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3768
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4196
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2900
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 744
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2036
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6776
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6344
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2892
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 492
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1552
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6824
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4600
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6320
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2008
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 340
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1572
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 708
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3720
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6304
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5440
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6732
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 696
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5460
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5860
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5428
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6720
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6280
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5416
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2396
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6700
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4544
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2388
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5404
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1940
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1948
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6356
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7108
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6676
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1932
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1496
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6236
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4340
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6664
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 628
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1488
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5796
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7088
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6656
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4500
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 620
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6220
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1476
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1044
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3196
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2764
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3192
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7068
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3616
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7044
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6200
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2748
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 592
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4468
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2316
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6620
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4032
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2736
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 364
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6180
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5288
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6176
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6172
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5308
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6600
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4444
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5736
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4872
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2716
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6932
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1852
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 988
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5728
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 552
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5720
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1840
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1408
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2268
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7008
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6576
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6548
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5704
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1824
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6992
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7804
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3536
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1376
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3528
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3524
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6100
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5548
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2216
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 920
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6520
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6164
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 484
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 784
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6868
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3496
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2632
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3924
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7368
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6948
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6504
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2624
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1760
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1328
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 776
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2616
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6060
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1316
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2608
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6268
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4920
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6484
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6908
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6044
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3456
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1296
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 432
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: LZazJikRId.exeReversingLabs: Detection: 78%
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile read: C:\Users\user\Desktop\LZazJikRId.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\LZazJikRId.exe "C:\Users\user\Desktop\LZazJikRId.exe"
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe"
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'Jump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe" Jump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                Source: LZazJikRId.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: LZazJikRId.exeStatic file information: File size 48978421 > 1048576
                Source: LZazJikRId.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: LZazJikRId.exeStatic PE information: 0x8A85AFDB [Mon Aug 24 08:18:35 2043 UTC]
                Source: C:\Users\user\Desktop\LZazJikRId.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeCode function: 9_2_00007FFD9B8B00BD pushad ; iretd 9_2_00007FFD9B8B00C1
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile created: C:\Users\user\AppData\Roaming\audiodrv.exeJump to dropped file

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: LZazJikRId.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: LZazJikRId.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: LZazJikRId.exe, audiodrv.exe.0.drBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\LZazJikRId.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeMemory allocated: 1A590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeMemory allocated: 20C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeMemory allocated: 1A230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWindow / User API: threadDelayed 8791Jump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWindow / User API: threadDelayed 913Jump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exe TID: 7956Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\LZazJikRId.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: audiodrv.exe.0.drBinary or memory string: vmware
                Source: audiodrv.exe, 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'Jump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\audiodrv.exe "C:\Users\user\AppData\Roaming\audiodrv.exe" Jump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeQueries volume information: C:\Users\user\Desktop\LZazJikRId.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeQueries volume information: C:\Users\user\AppData\Roaming\audiodrv.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LZazJikRId.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: LZazJikRId.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.LZazJikRId.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LZazJikRId.exe PID: 7260, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: audiodrv.exe PID: 7804, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\audiodrv.exe, type: DROPPED
                Source: C:\Users\user\AppData\Roaming\audiodrv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		2
                Scheduled Task/Job                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping111
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Scheduled Task/Job                		1
                Scripting                		2
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                Obfuscated Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Timestomp                		Cached Domain Credentials14
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427019 Sample: LZazJikRId.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 30 dgorijan20785.hopto.org 2->30 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 8 LZazJikRId.exe 7 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Roaming\audiodrv.exe, PE32 8->26 dropped 46 Protects its processes via BreakOnTermination flag 8->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 8->48 12 cmd.exe 1 8->12         started        14 schtasks.exe 1 8->14         started        signatures6 process7 process8 16 audiodrv.exe 1 2 12->16         started        20 conhost.exe 12->20         started        22 timeout.exe 1 12->22         started        24 conhost.exe 14->24         started        dnsIp9 28 dgorijan20785.hopto.org 172.111.216.199, 49736, 7707 M247GB United States 16->28 32 Antivirus detection for dropped file 16->32 34 Protects its processes via BreakOnTermination flag 16->34 36 Machine Learning detection for dropped file 16->36 signatures10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                LZazJikRId.exe79%ReversingLabsByteCode-MSIL.Coinminer.Crysan
                LZazJikRId.exe100%AviraTR/Dropper.Gen
                LZazJikRId.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\audiodrv.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\audiodrv.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                dgorijan20785.hopto.org
                		172.111.216.199
                		truetrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLZazJikRId.exe, 00000000.00000002.1991905089.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, audiodrv.exe, 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    172.111.216.199
                    		dgorijan20785.hopto.orgUnited States
                    		9009M247GBtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1427019
                    Start date and time:2024-04-16 22:16:12 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 17s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:LZazJikRId.exe
                    renamed because original name is a hash value
                    Original Sample Name:4410dbdf8f12dfbf1f165276c42444fe.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@12/4@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 4
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: LZazJikRId.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    21:17:32Task SchedulerRun new task: 'audiodrv' path: "C:\Users\user\AppData\Roaming\audiodrv.exe"
                    22:17:54API Interceptor1347091x Sleep call for process: audiodrv.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    dgorijan20785.hopto.orgSYVA2te3iZ.exeGet hashmaliciousAsyncRAT, AveMaria, BabylonRAT, DarkComet, ParadoxRAT, UACMe, XenoRATBrowse
                    • 172.111.131.97
                    3669103BB71A217263881BCD143B2F60A68B75CCC08F0.exeGet hashmaliciousAveMaria, DarkTortilla, UACMeBrowse
                    • 104.250.170.27
                    CwZJqFCiQl.exeGet hashmaliciousAveMaria, UACMeBrowse
                    • 104.250.170.27
                    Fast-Tron-Miner.exeGet hashmaliciousAveMaria, BabylonRAT, DarkComet, ParadoxRAT, UACMeBrowse
                    • 172.111.204.106
                    Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr.exeGet hashmaliciousAsyncRAT, AveMaria, UACMeBrowse
                    • 172.111.204.106
                    BitcoinPrivateKeyFinder.exeGet hashmaliciousDarkComet, DarkTortillaBrowse
                    • 172.111.204.106
                    b5OyySwWKr.exeGet hashmaliciousAsyncRAT, DarkTortilla, PhoenixRAT, XmrigBrowse
                    • 172.111.204.106
                    ADOBESTV.EXE.exeGet hashmaliciousBabylonRAT, ParadoxRATBrowse
                    • 172.111.204.106
                    USBDRVI.EXE.exeGet hashmaliciousAveMaria, UACMeBrowse
                    • 172.111.204.106
                    Dogecoin-Miner2022l.exeGet hashmaliciousAsyncRAT, AveMaria, DarkComet, ParadoxRAT, PhoenixRAT, UACMeBrowse
                    • 172.111.204.106

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    M247GBbUAB.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    • 172.94.39.213
                    2jQHythw1E.elfGet hashmaliciousMiraiBrowse
                    • 38.203.241.133
                    zLH4Gkr36e.elfGet hashmaliciousMiraiBrowse
                    • 194.71.126.13
                    https://www.goodnewsliverpool.co.uk/?ads_click=1&data=10345-9192-0-3318-1&nonce=b019a2f042&redir=%68%74%74%70%25%33%41aiitpune.com%2Fjs%2Ftjux%2F%2Fc2J5cm5lQGpwYy5xbGQuZWR1LmF1&$Get hashmaliciousHTMLPhisherBrowse
                    • 95.215.226.7
                    r414SHIPPINGORDERETC-0313SO6432TW102667003.scr.exeGet hashmaliciousXWormBrowse
                    • 104.250.180.178
                    J2NWKU2oJi.exeGet hashmaliciousAmadey, RHADAMANTHYSBrowse
                    • 91.202.233.180
                    UGXRHW5XnG.elfGet hashmaliciousMiraiBrowse
                    • 45.86.28.68
                    IF175.vbsGet hashmaliciousUnknownBrowse
                    • 45.61.128.239
                    VVr5Eoo84.vbsGet hashmaliciousUnknownBrowse
                    • 45.61.128.239
                    V4Mhvhr77.vbsGet hashmaliciousUnknownBrowse
                    • 45.61.128.239

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LZazJikRId.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\LZazJikRId.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):654
                    Entropy (8bit):5.380476433908377
                    Encrypted:false
                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                    C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat

                    Download File
                    Process:C:\Users\user\Desktop\LZazJikRId.exe
                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):152
                    Entropy (8bit):5.089293897629723
                    Encrypted:false
                    SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5f18mqRDt+kiE2J5xAInTRILnRozVZPy:hWKqTtT6wknaZ5fKmq1wkn23fTGRAVk
                    MD5:2AB11935587EA7AF433741BD843FC583
                    SHA1:E8409A45DAF60CA9005AC0485D74938D4C9DC2B4
                    SHA-256:8FA5F92E9F933AC72D08946837B6E8C49183CE0F3EDACF31E4E478A50435C750
                    SHA-512:5256A6FB4B9AFE6E0122A63E41B720C8991BC1F4A12E08DCC63C2F2DD8FD06DE4986DBD5FB49078475E2F501058D2AB7A43EEFCD0FDAF9F0018EE3738EA88000
                    Malicious:false
                    Reputation:low
                    Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\audiodrv.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpD41E.tmp.bat" /f /q..

                    C:\Users\user\AppData\Roaming\audiodrv.exe

                    Download File
                    Process:C:\Users\user\Desktop\LZazJikRId.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):92634892
                    Entropy (8bit):7.999993562795589
                    Encrypted:true
                    SSDEEP:1572864:Dk5cNUUJgrNPOFfxFGjMBLKLbob+XCdvXhzhICu/1EKxRViBY3JX:DCAFWNPOFfxcgLK3oay9wVuKx5d
                    MD5:B650EE637C386E63F318CFF98A1F4A7A
                    SHA1:6DCA55052F4CA177B205D3EF2014C23257163A9E
                    SHA-256:CB9E1BE7694030F9B7D6501ED05B97B160130C11481F494D311E697A2F10C6D6
                    SHA-512:B63657472448A3CCF0CDA364B5A790E61D571FF96749CD79A9C44E684C43B40B087F71D400837E42FFA662EA50182734D8C1ABDA898BE56A1DE5B34859D7F0BE
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\audiodrv.exe, Author: Joe Security
                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\audiodrv.exe, Author: Joe Security
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. ....................... ............@.................................`...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H....... W..@l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......**.(>......*2~.....o?...*6(.....X(....*.s.........*2~.....o!...*2~.....o....*2.(V...(&...*...D...%...%...c.%....c.%....c.*N..D...%...%...c.*2.(W...(&...*.sX........*V..}.....(......}....*J.{.....{....oY...*...{...

                    \Device\Null

                    Download File
                    Process:C:\Windows\System32\timeout.exe
                    File Type:ASCII text, with CRLF line terminators, with overstriking
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.41440934524794
                    Encrypted:false
                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.999979747660415
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:LZazJikRId.exe
                    File size:48'978'421 bytes
                    MD5:4410dbdf8f12dfbf1f165276c42444fe
                    SHA1:41636f267072fec4554293c8d6abe148e1e67cc6
                    SHA256:61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222
                    SHA512:33b4aa2617a3cf96623c66e67fcb22a96ca78df4829773de94ac75ea6749cf85842429e9383b720afa8937594e235c6ea02e81acb833713fa1f90ef18e0505e0
                    SSDEEP:786432:Nkmk80dcNz5mU7FgDHNM2RXKxN1bfHRz8CGj7IBLbTSR/4ibob+XAkqdvDjhr:Dk5cNUUJgrNPOFfxFGjMBLKLbob+XCdl
                    TLSH:77B73328D1D6E15AC7DDD8649626DEEAE3FB0CF13156B9007CECE51D482AF4B1008BE9
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............@................................

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x40c3ae
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x8A85AFDB [Mon Aug 24 08:18:35 2043 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc3600x4b.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xfb6.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xa3b40xa40020fcf7bf3ae144fe2fb47a6adac85d82False0.5096703506097561data5.608697326104035IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xe0000xfb60x1000e096b0348a4279a540dcdc2efc775a68False0.388916015625data5.014741439768996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x100000xc0x2002f56c8233a8bed9d40526d0054d418e0False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xe0a00x2ccdata0.43575418994413406
                    RT_MANIFEST0xe36c0xc4aXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3925619834710744

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    04/16/24-22:17:55.099629TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)770749736172.111.216.199192.168.2.4
                    04/16/24-22:17:55.099629TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert770749736172.111.216.199192.168.2.4

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 16, 2024 22:17:54.527981997 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:54.775608063 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:17:54.775727034 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:54.795663118 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:55.099628925 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:17:55.103451967 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:17:55.103574991 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:55.109357119 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:55.359577894 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:17:55.414335966 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:55.581734896 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:56.039556980 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:17:56.039738894 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:17:56.487402916 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:12.884524107 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:13.331408978 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:13.331455946 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:13.595618010 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:13.648507118 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:13.895329952 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:13.908123970 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:14.363400936 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:14.367855072 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:14.819739103 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:18.099514008 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:18.148468971 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:18.399290085 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:18.445456982 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:34.790096998 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:35.235299110 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:35.235486984 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:35.491152048 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:35.538978100 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:35.787219048 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:35.788698912 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:36.235150099 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:36.235272884 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:36.695554972 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:48.119260073 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:48.163944006 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:48.411283016 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:48.460984945 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:56.697096109 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:57.147406101 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:57.147891045 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:57.395196915 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:57.445096970 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:57.691200972 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:57.695513010 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:58.151091099 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:18:58.151583910 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:18:58.599116087 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:07.914267063 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:08.363115072 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:08.367333889 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:08.619157076 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:08.664089918 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:08.911010981 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:08.913738012 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:09.364209890 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:09.364303112 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:09.818939924 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:11.383296967 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:11.835191011 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:11.835278034 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:12.082917929 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:12.132467031 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:12.382956028 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:12.386569977 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:12.835093021 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:12.836551905 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:13.291076899 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:18.135663033 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:18.259463072 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:18.506989956 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:18.664515972 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:19.042735100 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:19.490888119 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:19.490966082 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:19.738939047 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:19.788554907 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:20.038902044 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:20.039408922 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:20.490921021 CEST770749736172.111.216.199192.168.2.4
                    Apr 16, 2024 22:19:20.491013050 CEST497367707192.168.2.4172.111.216.199
                    Apr 16, 2024 22:19:20.958800077 CEST770749736172.111.216.199192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 16, 2024 22:17:54.417222977 CEST5495053192.168.2.41.1.1.1
                    Apr 16, 2024 22:17:54.524389029 CEST53549501.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Apr 16, 2024 22:17:54.417222977 CEST192.168.2.41.1.1.10x25c1Standard query (0)dgorijan20785.hopto.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Apr 16, 2024 22:17:54.524389029 CEST1.1.1.1192.168.2.40x25c1No error (0)dgorijan20785.hopto.org172.111.216.199A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:22:17:10
                    Start date:16/04/2024
                    Path:C:\Users\user\Desktop\LZazJikRId.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\LZazJikRId.exe"
                    Imagebase:0x260000
                    File size:48'978'421 bytes
                    MD5 hash:4410DBDF8F12DFBF1F165276C42444FE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1748538360.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1990433706.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1991905089.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:4
                    Start time:22:17:32
                    Start date:16/04/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\user\AppData\Roaming\audiodrv.exe"'
                    Imagebase:0x7ff76f990000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:22:17:32
                    Start date:16/04/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:22:17:34
                    Start date:16/04/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD41E.tmp.bat""
                    Imagebase:0x7ff6eeef0000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:22:17:34
                    Start date:16/04/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:22:17:34
                    Start date:16/04/2024
                    Path:C:\Windows\System32\timeout.exe
                    Wow64 process (32bit):false
                    Commandline:timeout 3
                    Imagebase:0x7ff686200000
                    File size:32'768 bytes
                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:9
                    Start time:22:17:37
                    Start date:16/04/2024
                    Path:C:\Users\user\AppData\Roaming\audiodrv.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Roaming\audiodrv.exe"
                    Imagebase:0x1c0000
                    File size:92'634'892 bytes
                    MD5 hash:B650EE637C386E63F318CFF98A1F4A7A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3007275677.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3018371066.000000001AF05000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3008061689.0000000002231000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\audiodrv.exe, Author: Joe Security
                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\audiodrv.exe, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:32.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:3
                      Total number of Limit Nodes:0
                      execution_graph 1355 7ffd9b882ed1 1356 7ffd9b882eef RtlSetProcessIsCritical 1355->1356 1358 7ffd9b882f80 1356->1358

                      Callgraph

                      • Executed
                      • Not Executed
                      • Opacity -> Relevance
                      • Disassembly available
                      callgraph 0 Function_00007FFD9B881AF2 1 Function_00007FFD9B8804F2 2 Function_00007FFD9B881DED 3 Function_00007FFD9B8813ED 4 Function_00007FFD9B8819FC 5 Function_00007FFD9B8805FA 30 Function_00007FFD9B880700 5->30 6 Function_00007FFD9B881EFA 7 Function_00007FFD9B8828FA 8 Function_00007FFD9B8806F8 8->30 9 Function_00007FFD9B881AE2 10 Function_00007FFD9B8804E0 11 Function_00007FFD9B8806E0 11->30 12 Function_00007FFD9B8829DD 13 Function_00007FFD9B881BDD 14 Function_00007FFD9B8816EA 15 Function_00007FFD9B880EE9 16 Function_00007FFD9B8805E8 17 Function_00007FFD9B8803E8 18 Function_00007FFD9B8804E8 19 Function_00007FFD9B881E12 20 Function_00007FFD9B880112 21 Function_00007FFD9B880810 22 Function_00007FFD9B88070D 23 Function_00007FFD9B881B18 24 Function_00007FFD9B880118 25 Function_00007FFD9B880518 26 Function_00007FFD9B881115 27 Function_00007FFD9B881404 26->27 34 Function_00007FFD9B880708 26->34 43 Function_00007FFD9B881439 26->43 65 Function_00007FFD9B88146E 26->65 88 Function_00007FFD9B8814A3 26->88 28 Function_00007FFD9B880102 29 Function_00007FFD9B881E02 30->27 30->34 30->43 30->65 30->88 31 Function_00007FFD9B8801FD 32 Function_00007FFD9B8806FD 33 Function_00007FFD9B88000C 34->17 48 Function_00007FFD9B880728 34->48 35 Function_00007FFD9B880508 36 Function_00007FFD9B881B08 37 Function_00007FFD9B880A05 37->10 37->16 37->25 37->35 53 Function_00007FFD9B880658 37->53 79 Function_00007FFD9B880498 37->79 86 Function_00007FFD9B8804B8 37->86 38 Function_00007FFD9B881A31 39 Function_00007FFD9B880830 40 Function_00007FFD9B881B2D 41 Function_00007FFD9B88012D 42 Function_00007FFD9B88283A 44 Function_00007FFD9B882038 44->10 44->23 44->36 70 Function_00007FFD9B88285F 44->70 101 Function_00007FFD9B881EC8 44->101 45 Function_00007FFD9B880E24 46 Function_00007FFD9B880720 47 Function_00007FFD9B881F1D 49 Function_00007FFD9B881053 50 Function_00007FFD9B880E4D 51 Function_00007FFD9B88014D 52 Function_00007FFD9B880758 53->30 54 Function_00007FFD9B882E42 55 Function_00007FFD9B880640 55->30 56 Function_00007FFD9B882A3D 56->55 64 Function_00007FFD9B882970 56->64 99 Function_00007FFD9B8804C0 56->99 57 Function_00007FFD9B88023D 58 Function_00007FFD9B881D3D 59 Function_00007FFD9B881E3D 60 Function_00007FFD9B88044B 61 Function_00007FFD9B881945 62 Function_00007FFD9B881972 62->4 63 Function_00007FFD9B880772 66 Function_00007FFD9B881A6D 67 Function_00007FFD9B880778 68 Function_00007FFD9B880875 69 Function_00007FFD9B881761 71 Function_00007FFD9B881B5D 72 Function_00007FFD9B88035D 73 Function_00007FFD9B88266B 73->18 77 Function_00007FFD9B88289B 73->77 74 Function_00007FFD9B880F6A 74->49 75 Function_00007FFD9B881869 75->21 76 Function_00007FFD9B882E65 76->44 78 Function_00007FFD9B881A9B 80 Function_00007FFD9B880398 81 Function_00007FFD9B881B98 82 Function_00007FFD9B881095 82->30 83 Function_00007FFD9B881EB1 84 Function_00007FFD9B882EB1 85 Function_00007FFD9B8809AD 87 Function_00007FFD9B8829B5 89 Function_00007FFD9B8802A8 90 Function_00007FFD9B880BA6 91 Function_00007FFD9B881AD2 92 Function_00007FFD9B882ED1 93 Function_00007FFD9B8828D0 94 Function_00007FFD9B880BCE 94->8 94->11 94->46 95 Function_00007FFD9B881FCD 95->10 95->23 95->36 95->70 95->101 96 Function_00007FFD9B881DCD 97 Function_00007FFD9B8814DA 97->17 97->48 98 Function_00007FFD9B8803D8 100 Function_00007FFD9B8800BD

                      Executed Functions

                      Function 00007FFD9B882ED1 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 238 7ffd9b882ed1-7ffd9b882f7e RtlSetProcessIsCritical 242 7ffd9b882f80 238->242 243 7ffd9b882f86-7ffd9b882fa8 238->243 242->243
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2033638635.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9b880000_LZazJikRId.jbxd
                      Similarity
                      • API ID: CriticalProcess
                      • String ID:
                      • API String ID: 2695349919-0
                      • Opcode ID: 514e5f4062ce99b7b31dc737e1be77feba47700f65fb7ff5adf80f99564e1989
                      • Instruction ID: e8aeceb1bd1c4a93f157951d9625f362d6ee9d30d031a2911333681dac521a8f
                      • Opcode Fuzzy Hash: 514e5f4062ce99b7b31dc737e1be77feba47700f65fb7ff5adf80f99564e1989
                      • Instruction Fuzzy Hash: A931E73190DB488FDB28DB98D856AE97BF0EF59321F00016FD04AC3592DA246846CB41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Execution Graph

                      Execution Coverage:20.8%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:3
                      Total number of Limit Nodes:0
                      execution_graph 5621 7ffd9b8b2a85 5622 7ffd9b8b2adf RtlSetProcessIsCritical 5621->5622 5624 7ffd9b8b2b40 5622->5624

                      Executed Functions

                      Function 00007FFD9B8B6806 Relevance: .5, Instructions: 472COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 481 7ffd9b8b6806-7ffd9b8b6813 482 7ffd9b8b6815-7ffd9b8b681d 481->482 483 7ffd9b8b681e-7ffd9b8b68e7 481->483 482->483 487 7ffd9b8b68e9-7ffd9b8b68f2 483->487 488 7ffd9b8b6953 483->488 487->488 489 7ffd9b8b68f4-7ffd9b8b6900 487->489 490 7ffd9b8b6955-7ffd9b8b697a 488->490 491 7ffd9b8b6939-7ffd9b8b6951 489->491 492 7ffd9b8b6902-7ffd9b8b6914 489->492 496 7ffd9b8b69e6 490->496 497 7ffd9b8b697c-7ffd9b8b6985 490->497 491->490 494 7ffd9b8b6918-7ffd9b8b692b 492->494 495 7ffd9b8b6916 492->495 494->494 498 7ffd9b8b692d-7ffd9b8b6935 494->498 495->494 500 7ffd9b8b69e8-7ffd9b8b6a90 496->500 497->496 499 7ffd9b8b6987-7ffd9b8b6993 497->499 498->491 501 7ffd9b8b6995-7ffd9b8b69a7 499->501 502 7ffd9b8b69cc-7ffd9b8b69e4 499->502 511 7ffd9b8b6afe 500->511 512 7ffd9b8b6a92-7ffd9b8b6a9c 500->512 503 7ffd9b8b69ab-7ffd9b8b69be 501->503 504 7ffd9b8b69a9 501->504 502->500 503->503 506 7ffd9b8b69c0-7ffd9b8b69c8 503->506 504->503 506->502 514 7ffd9b8b6b00-7ffd9b8b6b29 511->514 512->511 513 7ffd9b8b6a9e-7ffd9b8b6aab 512->513 515 7ffd9b8b6aad-7ffd9b8b6abf 513->515 516 7ffd9b8b6ae4-7ffd9b8b6afc 513->516 521 7ffd9b8b6b2b-7ffd9b8b6b36 514->521 522 7ffd9b8b6b93 514->522 517 7ffd9b8b6ac3-7ffd9b8b6ad6 515->517 518 7ffd9b8b6ac1 515->518 516->514 517->517 520 7ffd9b8b6ad8-7ffd9b8b6ae0 517->520 518->517 520->516 521->522 524 7ffd9b8b6b38-7ffd9b8b6b46 521->524 523 7ffd9b8b6b95-7ffd9b8b6c3b 522->523 533 7ffd9b8b6c3d 523->533 534 7ffd9b8b6c43-7ffd9b8b6c60 523->534 525 7ffd9b8b6b48-7ffd9b8b6b5a 524->525 526 7ffd9b8b6b7f-7ffd9b8b6b91 524->526 527 7ffd9b8b6b5c 525->527 528 7ffd9b8b6b5e-7ffd9b8b6b71 525->528 526->523 527->528 528->528 530 7ffd9b8b6b73-7ffd9b8b6b7b 528->530 530->526 533->534 537 7ffd9b8b6c69-7ffd9b8b6ca8 call 7ffd9b8b6cc4 534->537 541 7ffd9b8b6caa 537->541 542 7ffd9b8b6caf-7ffd9b8b6cc3 537->542 541->542
                      Memory Dump Source
                      • Source File: 00000009.00000002.3021298756.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_audiodrv.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 572002cd7e26b7223696c0c3414b0405f7a4b2ae854c23ff6e9d101f8a7b28d6
                      • Instruction ID: 64c0e0e33013f028e6d77db882b3dbca6ce3e9bf6ee98914029ad8547047fd16
                      • Opcode Fuzzy Hash: 572002cd7e26b7223696c0c3414b0405f7a4b2ae854c23ff6e9d101f8a7b28d6
                      • Instruction Fuzzy Hash: 03F1B770609A4D8FEBA8DF28C8657E977E1FF58310F04426ED84DC7295DB34E9458B81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00007FFD9B8B75B2 Relevance: .5, Instructions: 458COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 543 7ffd9b8b75b2-7ffd9b8b75bf 544 7ffd9b8b75ca-7ffd9b8b7697 543->544 545 7ffd9b8b75c1-7ffd9b8b75c9 543->545 549 7ffd9b8b7699-7ffd9b8b76a2 544->549 550 7ffd9b8b7703 544->550 545->544 549->550 551 7ffd9b8b76a4-7ffd9b8b76b0 549->551 552 7ffd9b8b7705-7ffd9b8b772a 550->552 553 7ffd9b8b76e9-7ffd9b8b7701 551->553 554 7ffd9b8b76b2-7ffd9b8b76c4 551->554 558 7ffd9b8b7796 552->558 559 7ffd9b8b772c-7ffd9b8b7735 552->559 553->552 556 7ffd9b8b76c8-7ffd9b8b76db 554->556 557 7ffd9b8b76c6 554->557 556->556 560 7ffd9b8b76dd-7ffd9b8b76e5 556->560 557->556 562 7ffd9b8b7798-7ffd9b8b77bd 558->562 559->558 561 7ffd9b8b7737-7ffd9b8b7743 559->561 560->553 563 7ffd9b8b7745-7ffd9b8b7757 561->563 564 7ffd9b8b777c-7ffd9b8b7794 561->564 569 7ffd9b8b782b 562->569 570 7ffd9b8b77bf-7ffd9b8b77c9 562->570 565 7ffd9b8b775b-7ffd9b8b776e 563->565 566 7ffd9b8b7759 563->566 564->562 565->565 568 7ffd9b8b7770-7ffd9b8b7778 565->568 566->565 568->564 571 7ffd9b8b782d-7ffd9b8b785b 569->571 570->569 572 7ffd9b8b77cb-7ffd9b8b77d8 570->572 579 7ffd9b8b78cb 571->579 580 7ffd9b8b785d-7ffd9b8b7868 571->580 573 7ffd9b8b77da-7ffd9b8b77ec 572->573 574 7ffd9b8b7811-7ffd9b8b7829 572->574 576 7ffd9b8b77f0-7ffd9b8b7803 573->576 577 7ffd9b8b77ee 573->577 574->571 576->576 578 7ffd9b8b7805-7ffd9b8b780d 576->578 577->576 578->574 582 7ffd9b8b78cd-7ffd9b8b79a5 579->582 580->579 581 7ffd9b8b786a-7ffd9b8b7878 580->581 583 7ffd9b8b787a-7ffd9b8b788c 581->583 584 7ffd9b8b78b1-7ffd9b8b78c9 581->584 592 7ffd9b8b79ab-7ffd9b8b79ba 582->592 586 7ffd9b8b7890-7ffd9b8b78a3 583->586 587 7ffd9b8b788e 583->587 584->582 586->586 589 7ffd9b8b78a5-7ffd9b8b78ad 586->589 587->586 589->584 593 7ffd9b8b79bc 592->593 594 7ffd9b8b79c2-7ffd9b8b7a24 call 7ffd9b8b7a40 592->594 593->594 601 7ffd9b8b7a26 594->601 602 7ffd9b8b7a2b-7ffd9b8b7a3f 594->602 601->602
                      Memory Dump Source
                      • Source File: 00000009.00000002.3021298756.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_audiodrv.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6c586610ddeebba400056ec39b4fe5146b869f67a41d7abfc567133b7739a72
                      • Instruction ID: 08ac2fb66e850fd23f859473a6d5787640c2df6375361d04067baface6925622
                      • Opcode Fuzzy Hash: e6c586610ddeebba400056ec39b4fe5146b869f67a41d7abfc567133b7739a72
                      • Instruction Fuzzy Hash: 92E1C430A09A4E8FEBA8DF28C8657E977D1FF58310F04426ED84DC72A5DE3499458BC1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00007FFD9B8B2A85 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 355 7ffd9b8b2a85-7ffd9b8b2b3e RtlSetProcessIsCritical 358 7ffd9b8b2b46-7ffd9b8b2b68 355->358 359 7ffd9b8b2b40 355->359 359->358
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.3021298756.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_7ffd9b8b0000_audiodrv.jbxd
                      Similarity
                      • API ID: CriticalProcess
                      • String ID:
                      • API String ID: 2695349919-0
                      • Opcode ID: 342dd8f6774422cd16438dd692274677cf0036eb52059acbaf140bc9b7a11055
                      • Instruction ID: 424dec6b6dfd9c06c041f4f1439a77054d6362f0146c6ccc4617008defae3305
                      • Opcode Fuzzy Hash: 342dd8f6774422cd16438dd692274677cf0036eb52059acbaf140bc9b7a11055
                      • Instruction Fuzzy Hash: B4310A3050D7488FD7199FA8DC59AE97BF0EF5A321F0401AFE08AC3563CA686846CB51
                      Uniqueness

                      Uniqueness Score: -1.00%