Windows Analysis Report dVX6r5CyYY.exe

Source: dVX6r5CyYY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Directory created: C:\Program Files\Microsoft DN1

JA3 SSL client fingerprint seen in connection with other malware

Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49958 version: TLS 1.2

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040622D FindFirstFileW,FindClose,	0_2_0040622D
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040622D FindFirstFileW,FindClose,	2_2_0040622D

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: adamkiddoo.com

Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dVX6r5CyYY.exe, Antiadiaphorist236.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/
Source: dVX6r5CyYY.exe, 00000002.00000002.13174886143.0000000004770000.00000004.00001000.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A87000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13456710832.0000000004770000.00000004.00001000.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin6K
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin=
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binCom3
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binJ&
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binN
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binfJ
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binl64
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binwsdn
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin~K
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/U
Source: Antiadiaphorist236.exe, 00000005.00000003.13450134920.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/Vm
Source: Antiadiaphorist236.exe, 00000005.00000003.13450134920.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/nm
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957

Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49958 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_004052D3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D3

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040335A
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		2_2_0040335A

Creates driver files

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\alluder\adjunctively.sys

Creates files inside the system directory

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\0409	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\shakeproof	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\shakeproof\tnkeevne	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00404B10	0_2_00404B10
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040653F	0_2_0040653F
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00404B10	2_2_00404B10
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040653F	2_2_0040653F

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll 7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll 7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: String function: 00402B3A appears 47 times

PE file contains executable resources (Code or Archives)

Source: dVX6r5CyYY.exe	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: Antiadiaphorist236.exe.2.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped

Tries to load missing DLLs

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: dVX6r5CyYY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@6/57@1/1

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_004045CA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045CA

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Program Files\Microsoft DN1

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Local\Temp\nsm2592.tmp

Source: dVX6r5CyYY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: dVX6r5CyYY.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File read: C:\Users\user\Desktop\dVX6r5CyYY.exe

Source: unknown	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Directory created: C:\Program Files\Microsoft DN1

Contains functionality to dynamically determine API calls

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.13442444231.000000000594E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.13161347684.000000000599E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_10002DA0 push eax; ret	0_2_10002DCE
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_021B28DA push E4840C47h; retf	2_2_021B28DF
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_021B2CDA push E4840C43h; iretd	2_2_021B2CDF
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Code function: 5_2_021B28DA push E4840C47h; retf	5_2_021B28DF
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Code function: 5_2_021B2CDA push E4840C43h; iretd	5_2_021B2CDF

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\alluder\adjunctively.sys

Found dropped PE file which has not been started or loaded

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	File created: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Jump to dropped file

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040622D FindFirstFileW,FindClose,	0_2_0040622D
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040622D FindFirstFileW,FindClose,	2_2_0040622D

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CE6000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A87000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AF4000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002AF4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"			Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00405F0C GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0C

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Multi AV Scanner detection for dropped file

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.142.20	adamkiddoo.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
adamkiddoo.com	50.87.142.20	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin	false	Avira URL Cloud: safe	unknown

AV Detection

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: dVX6r5CyYY.exe

ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dVX6r5CyYY.exe

Joe Sandbox ML: detected

Source: dVX6r5CyYY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Directory created: C:\Program Files\Microsoft DN1

JA3 SSL client fingerprint seen in connection with other malware

Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49958 version: TLS 1.2

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040622D FindFirstFileW,FindClose,	0_2_0040622D
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040622D FindFirstFileW,FindClose,	2_2_0040622D

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ASsHdVpRUDfpWtkNHm150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adamkiddoo.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: adamkiddoo.com

Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dVX6r5CyYY.exe, Antiadiaphorist236.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/
Source: dVX6r5CyYY.exe, 00000002.00000002.13174886143.0000000004770000.00000004.00001000.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A87000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13456710832.0000000004770000.00000004.00001000.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin6K
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin=
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binCom3
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binJ&
Source: Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binN
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binfJ
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binl64
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.binwsdn
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/ASsHdVpRUDfpWtkNHm150.bin~K
Source: dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/U
Source: Antiadiaphorist236.exe, 00000005.00000003.13450134920.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/Vm
Source: Antiadiaphorist236.exe, 00000005.00000003.13450134920.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adamkiddoo.com/nm
Source: dVX6r5CyYY.exe, 00000002.00000003.13158722895.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000002.13174157695.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, dVX6r5CyYY.exe, 00000002.00000003.13157957704.0000000002CFA000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000002.13455664191.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Antiadiaphorist236.exe, 00000005.00000003.13450554811.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957

Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.142.20:443 -> 192.168.11.20:49958 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

0_2_004052D3

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040335A
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		2_2_0040335A

Creates driver files

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\alluder\adjunctively.sys

Creates files inside the system directory

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\0409	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\shakeproof	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Windows\resources\shakeproof\tnkeevne	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00404B10	0_2_00404B10
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040653F	0_2_0040653F
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00404B10	2_2_00404B10
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040653F	2_2_0040653F

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll 7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll 7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: String function: 00402B3A appears 47 times

PE file contains executable resources (Code or Archives)

Source: dVX6r5CyYY.exe	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: Antiadiaphorist236.exe.2.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped

Tries to load missing DLLs

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: dVX6r5CyYY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@6/57@1/1

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_004045CA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045CA

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Program Files\Microsoft DN1

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Local\Temp\nsm2592.tmp

Source: dVX6r5CyYY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: dVX6r5CyYY.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File read: C:\Users\user\Desktop\dVX6r5CyYY.exe

Source: unknown	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Directory created: C:\Program Files\Microsoft DN1

Contains functionality to dynamically determine API calls

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.13442444231.000000000594E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.13161347684.000000000599E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_10002DA0 push eax; ret	0_2_10002DCE
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_021B28DA push E4840C47h; retf	2_2_021B28DF
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_021B2CDA push E4840C43h; iretd	2_2_021B2CDF
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Code function: 5_2_021B28DA push E4840C47h; retf	5_2_021B28DF
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Code function: 5_2_021B2CDA push E4840C43h; iretd	5_2_021B2CDF

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\alluder\adjunctively.sys

Found dropped PE file which has not been started or loaded

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	File created: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Jump to dropped file

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Tjenerskab	Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskAAD2.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh313D.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_0040622D FindFirstFileW,FindClose,	0_2_0040622D
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405772
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Code function: 2_2_0040622D FindFirstFileW,FindClose,	2_2_0040622D

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe	Process created: C:\Users\user\Desktop\dVX6r5CyYY.exe "C:\Users\user\Desktop\dVX6r5CyYY.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe	Process created: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe "C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe"			Jump to behavior

Source: C:\Users\user\Desktop\dVX6r5CyYY.exe

Code function: 0_2_00405F0C GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0C

Source: C:\Users\user\AppData\Local\Temp\Kirkegangens\Antiadiaphorist236.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid