Windows Analysis Report
giLqLXLHs3.exe

Overview

General Information

Sample Name: giLqLXLHs3.exe
Analysis ID: 738927
MD5: d7f34f1712688bb9564296842355a8b9
SHA1: 1245a185de18808ef075297fc4740d7a3b7b6381
SHA256: c9944c04100d2b5d75b8bff00359b3bef6481bdb72d965032ac800d99cb4fe1a
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Enables debug privileges

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: klanet.duckdns.org Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: giLqLXLHs3.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: giLqLXLHs3.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: giLqLXLHs3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: hl3costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|9D79504DE51E115DB26ED0175610FEF704182CDD|2608 source: giLqLXLHs3.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: hl$costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed|||MahApps.Metro.IconPacks.Core.pdb|9E10B3D9F7E753F984E8BFE09417371A7F52DCA0|81408 source: giLqLXLHs3.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\mahapps-metro-iconpacks\src\MahApps.Metro.IconPacks\obj\Release\MahApps.Metro.IconPacks.Material\net47\MahApps.Metro.IconPacks.Material.pdb source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: D:\source\GF\GFAlarmUpdater\obj\Release\GFAlarmUpdater.pdb source: giLqLXLHs3.exe
Source: Binary string: costura.costura.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: hl7costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: htmltextblockIcostura.htmltextblock.dll.compressedIcostura.htmltextblock.pdb.compressed9mahapps.metro.iconpacks.coregcostura.mahapps.metro.iconpacks.core.dll.compressedgcostura.mahapps.metro.iconpacks.core.pdb.compressedAmahapps.metro.iconpacks.materialocostura.mahapps.metro.iconpacks.material.dll.compressedocostura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: /_/src/MahApps.Metro.IconPacks.Core/obj/Release/net47/MahApps.Metro.IconPacks.Core.pdb source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed|||MahApps.Metro.IconPacks.Material.pdb|820140E5CD1F78B1B22706BEBC6182C6B8D36E7C|44544 source: giLqLXLHs3.exe
Source: Binary string: costura.htmltextblock.pdb.compressed|||HtmlTextBlock.pdb|18E9F604D8CE1318CCE807BC9B87E6DC42F547B8|60928 source: giLqLXLHs3.exe

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 663
Source: unknown Network traffic detected: HTTP traffic on port 663 -> 49687
Uses dynamic DNS services
Source: unknown DNS query: name: klanet.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49687 -> 221.157.45.236:663
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: KIXS-AS-KRKoreaTelecomKR KIXS-AS-KRKoreaTelecomKR
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://klanet.duckdns.org:663
Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://klanet.duckdns.org:663/resource/version.tsv
Source: giLqLXLHs3.exe String found in binary or memory: http://klanet.duckdns.org:663/resource/version.tsv#downloadVoicePack#WindowBorderBrush
Source: giLqLXLHs3.exe String found in binary or memory: http://klanet.duckdns.org:663/version
Source: giLqLXLHs3.exe String found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacks
Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpackseup
Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacksp
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/3
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/5
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nlog-project.org/ws/T
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: giLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: giLqLXLHs3.exe String found in binary or memory: http://www.quickzip.org/BaseControls
Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quickzip.org/BaseControlsx
Source: giLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: giLqLXLHs3.exe, 00000000.00000003.254202440.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254322553.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254180030.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254271837.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://design.google
Source: giLqLXLHs3.exe String found in binary or memory: https://design.googleGoogle
Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gall.dcinside.com/
Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gall.dcinside.com/micateam/1644952)
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/MahApps/MahApps.Metro.IconPacks.git
Source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/MahApps/MahApps.Metro.IconPacks.git&
Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.521156580.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Templarian/MaterialDesign/blob/master/LICENSE
Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Templarian/MaterialDesign/blob/master/LICENSE-
Source: giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://materialdesignicons.com/
Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nlog-project.org/
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: klanet.duckdns.org
Source: global traffic HTTP traffic detected: GET /resource/version.tsv HTTP/1.1User-Agent: requestHost: klanet.duckdns.org:663Connection: Keep-Alive
Uses 32bit PE files
Source: giLqLXLHs3.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: _originalFileName vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _originalFileName vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _originalFileName vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Core.dllP vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
Source: giLqLXLHs3.exe Binary or memory string: OriginalFilenameGFAlarmUpdater.exe> vs giLqLXLHs3.exe
Source: C:\Users\user\Desktop\giLqLXLHs3.exe File read: C:\Users\user\Desktop\giLqLXLHs3.exe:Zone.Identifier Jump to behavior
Source: giLqLXLHs3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: giLqLXLHs3.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\giLqLXLHs3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\giLqLXLHs3.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: giLqLXLHs3.exe Static file information: File size 2366976 > 1048576
Source: giLqLXLHs3.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: giLqLXLHs3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: giLqLXLHs3.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x239e00
Source: giLqLXLHs3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: giLqLXLHs3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: hl3costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|9D79504DE51E115DB26ED0175610FEF704182CDD|2608 source: giLqLXLHs3.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: hl$costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed|||MahApps.Metro.IconPacks.Core.pdb|9E10B3D9F7E753F984E8BFE09417371A7F52DCA0|81408 source: giLqLXLHs3.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\mahapps-metro-iconpacks\src\MahApps.Metro.IconPacks\obj\Release\MahApps.Metro.IconPacks.Material\net47\MahApps.Metro.IconPacks.Material.pdb source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: D:\source\GF\GFAlarmUpdater\obj\Release\GFAlarmUpdater.pdb source: giLqLXLHs3.exe
Source: Binary string: costura.costura.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: hl7costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: htmltextblockIcostura.htmltextblock.dll.compressedIcostura.htmltextblock.pdb.compressed9mahapps.metro.iconpacks.coregcostura.mahapps.metro.iconpacks.core.dll.compressedgcostura.mahapps.metro.iconpacks.core.pdb.compressedAmahapps.metro.iconpacks.materialocostura.mahapps.metro.iconpacks.material.dll.compressedocostura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
Source: Binary string: /_/src/MahApps.Metro.IconPacks.Core/obj/Release/net47/MahApps.Metro.IconPacks.Core.pdb source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed|||MahApps.Metro.IconPacks.Material.pdb|820140E5CD1F78B1B22706BEBC6182C6B8D36E7C|44544 source: giLqLXLHs3.exe
Source: Binary string: costura.htmltextblock.pdb.compressed|||HtmlTextBlock.pdb|18E9F604D8CE1318CCE807BC9B87E6DC42F547B8|60928 source: giLqLXLHs3.exe

Data Obfuscation
barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: giLqLXLHs3.exe, type: SAMPLE
Source: Yara match File source: 0.0.giLqLXLHs3.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.241342686.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: giLqLXLHs3.exe PID: 6084, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: giLqLXLHs3.exe Static PE information: 0x81A88C7C [Tue Dec 7 03:54:36 2038 UTC]

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 663
Source: unknown Network traffic detected: HTTP traffic on port 663 -> 49687
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: giLqLXLHs3.exe, 00000000.00000002.539968379.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Enables debug privileges
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Users\user\Desktop\giLqLXLHs3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\giLqLXLHs3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738927 Sample: giLqLXLHs3.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 64 10 Multi AV Scanner detection for domain / URL 2->10 12 Machine Learning detection for sample 2->12 14 Uses dynamic DNS services 2->14 16 2 other signatures 2->16 5 giLqLXLHs3.exe 15 2 2->5         started        process3 dnsIp4 8 klanet.duckdns.org 221.157.45.236, 49687, 663 KIXS-AS-KRKoreaTelecomKR Korea Republic of 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
221.157.45.236
 klanet.duckdns.org Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true

Contacted Domains

Name IP Active
klanet.duckdns.org 221.157.45.236 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://klanet.duckdns.org:663/resource/version.tsv true
  • Avira URL Cloud: safe
 unknown