Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
giLqLXLHs3.exe

Overview

General Information

Sample Name:giLqLXLHs3.exe
Analysis ID:738927
MD5:d7f34f1712688bb9564296842355a8b9
SHA1:1245a185de18808ef075297fc4740d7a3b7b6381
SHA256:c9944c04100d2b5d75b8bff00359b3bef6481bdb72d965032ac800d99cb4fe1a
Tags:exe
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Enables debug privileges

Classification

  • System is w10x64
  • giLqLXLHs3.exe (PID: 6084 cmdline: C:\Users\user\Desktop\giLqLXLHs3.exe MD5: D7F34F1712688BB9564296842355A8B9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
giLqLXLHs3.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000000.241342686.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: giLqLXLHs3.exe PID: 6084JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          SourceRuleDescriptionAuthorStrings
          0.0.giLqLXLHs3.exe.7f0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: klanet.duckdns.orgVirustotal: Detection: 5%Perma Link
            Source: giLqLXLHs3.exeJoe Sandbox ML: detected
            Source: giLqLXLHs3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: giLqLXLHs3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: hl3costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|9D79504DE51E115DB26ED0175610FEF704182CDD|2608 source: giLqLXLHs3.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: hl$costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed|||MahApps.Metro.IconPacks.Core.pdb|9E10B3D9F7E753F984E8BFE09417371A7F52DCA0|81408 source: giLqLXLHs3.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\projects\mahapps-metro-iconpacks\src\MahApps.Metro.IconPacks\obj\Release\MahApps.Metro.IconPacks.Material\net47\MahApps.Metro.IconPacks.Material.pdb source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: D:\source\GF\GFAlarmUpdater\obj\Release\GFAlarmUpdater.pdb source: giLqLXLHs3.exe
            Source: Binary string: costura.costura.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: hl7costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: htmltextblockIcostura.htmltextblock.dll.compressedIcostura.htmltextblock.pdb.compressed9mahapps.metro.iconpacks.coregcostura.mahapps.metro.iconpacks.core.dll.compressedgcostura.mahapps.metro.iconpacks.core.pdb.compressedAmahapps.metro.iconpacks.materialocostura.mahapps.metro.iconpacks.material.dll.compressedocostura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: /_/src/MahApps.Metro.IconPacks.Core/obj/Release/net47/MahApps.Metro.IconPacks.Core.pdb source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed|||MahApps.Metro.IconPacks.Material.pdb|820140E5CD1F78B1B22706BEBC6182C6B8D36E7C|44544 source: giLqLXLHs3.exe
            Source: Binary string: costura.htmltextblock.pdb.compressed|||HtmlTextBlock.pdb|18E9F604D8CE1318CCE807BC9B87E6DC42F547B8|60928 source: giLqLXLHs3.exe

            Networking

            barindex
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 663
            Source: unknownNetwork traffic detected: HTTP traffic on port 663 -> 49687
            Source: unknownDNS query: name: klanet.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.7:49687 -> 221.157.45.236:663
            Source: Joe Sandbox ViewASN Name: KIXS-AS-KRKoreaTelecomKR KIXS-AS-KRKoreaTelecomKR
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://klanet.duckdns.org:663
            Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://klanet.duckdns.org:663/resource/version.tsv
            Source: giLqLXLHs3.exeString found in binary or memory: http://klanet.duckdns.org:663/resource/version.tsv#downloadVoicePack#WindowBorderBrush
            Source: giLqLXLHs3.exeString found in binary or memory: http://klanet.duckdns.org:663/version
            Source: giLqLXLHs3.exeString found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacks
            Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpackseup
            Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacksp
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
            Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/3
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/5
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nlog-project.org/ws/T
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: giLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: giLqLXLHs3.exeString found in binary or memory: http://www.quickzip.org/BaseControls
            Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quickzip.org/BaseControlsx
            Source: giLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: giLqLXLHs3.exe, 00000000.00000003.254202440.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254322553.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254180030.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254271837.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://design.google
            Source: giLqLXLHs3.exeString found in binary or memory: https://design.googleGoogle
            Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gall.dcinside.com/
            Source: giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gall.dcinside.com/micateam/1644952)
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/MahApps/MahApps.Metro.IconPacks.git
            Source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/MahApps/MahApps.Metro.IconPacks.git&
            Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.521156580.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Templarian/MaterialDesign/blob/master/LICENSE
            Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Templarian/MaterialDesign/blob/master/LICENSE-
            Source: giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://materialdesignicons.com/
            Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nlog-project.org/
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
            Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
            Source: unknownDNS traffic detected: queries for: klanet.duckdns.org
            Source: global trafficHTTP traffic detected: GET /resource/version.tsv HTTP/1.1User-Agent: requestHost: klanet.duckdns.org:663Connection: Keep-Alive
            Source: giLqLXLHs3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: _originalFileName vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _originalFileName vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _originalFileName vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNLog.dll: vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Core.dllP vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.Material.dllP vs giLqLXLHs3.exe
            Source: giLqLXLHs3.exeBinary or memory string: OriginalFilenameGFAlarmUpdater.exe> vs giLqLXLHs3.exe
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeFile read: C:\Users\user\Desktop\giLqLXLHs3.exe:Zone.IdentifierJump to behavior
            Source: giLqLXLHs3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: giLqLXLHs3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
            Source: classification engineClassification label: mal64.troj.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: giLqLXLHs3.exeStatic file information: File size 2366976 > 1048576
            Source: giLqLXLHs3.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: giLqLXLHs3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: giLqLXLHs3.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x239e00
            Source: giLqLXLHs3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: giLqLXLHs3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: hl3costura.mahapps.metro.iconpacks.core.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|9D79504DE51E115DB26ED0175610FEF704182CDD|2608 source: giLqLXLHs3.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: hl$costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.core.pdb.compressed|||MahApps.Metro.IconPacks.Core.pdb|9E10B3D9F7E753F984E8BFE09417371A7F52DCA0|81408 source: giLqLXLHs3.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: giLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\projects\mahapps-metro-iconpacks\src\MahApps.Metro.IconPacks\obj\Release\MahApps.Metro.IconPacks.Material\net47\MahApps.Metro.IconPacks.Material.pdb source: giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.htmltextblock.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: D:\source\GF\GFAlarmUpdater\obj\Release\GFAlarmUpdater.pdb source: giLqLXLHs3.exe
            Source: Binary string: costura.costura.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: hl7costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: htmltextblockIcostura.htmltextblock.dll.compressedIcostura.htmltextblock.pdb.compressed9mahapps.metro.iconpacks.coregcostura.mahapps.metro.iconpacks.core.dll.compressedgcostura.mahapps.metro.iconpacks.core.pdb.compressedAmahapps.metro.iconpacks.materialocostura.mahapps.metro.iconpacks.material.dll.compressedocostura.mahapps.metro.iconpacks.material.pdb.compressed source: giLqLXLHs3.exe
            Source: Binary string: /_/src/MahApps.Metro.IconPacks.Core/obj/Release/net47/MahApps.Metro.IconPacks.Core.pdb source: giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.mahapps.metro.iconpacks.material.pdb.compressed|||MahApps.Metro.IconPacks.Material.pdb|820140E5CD1F78B1B22706BEBC6182C6B8D36E7C|44544 source: giLqLXLHs3.exe
            Source: Binary string: costura.htmltextblock.pdb.compressed|||HtmlTextBlock.pdb|18E9F604D8CE1318CCE807BC9B87E6DC42F547B8|60928 source: giLqLXLHs3.exe

            Data Obfuscation

            barindex
            Source: Yara matchFile source: giLqLXLHs3.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.giLqLXLHs3.exe.7f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.241342686.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: giLqLXLHs3.exe PID: 6084, type: MEMORYSTR
            Source: giLqLXLHs3.exeStatic PE information: 0x81A88C7C [Tue Dec 7 03:54:36 2038 UTC]

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 663
            Source: unknownNetwork traffic detected: HTTP traffic on port 663 -> 49687
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess information set: NOOPENFILEERRORBOX
            Source: giLqLXLHs3.exe, 00000000.00000002.539968379.0000000005F0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Users\user\Desktop\giLqLXLHs3.exe VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Users\user\Desktop\giLqLXLHs3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
            Disable or Modify Tools
            OS Credential Dumping1
            Security Software Discovery
            Remote ServicesData from Local SystemExfiltration Over Other Network Medium11
            Non-Standard Port
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Timestomp
            LSASS Memory12
            System Information Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
            Non-Application Layer Protocol
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
            Remote System Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
            Application Layer Protocol
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
            Ingress Tool Transfer
            SIM Card SwapCarrier Billing Fraud
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            giLqLXLHs3.exe0%ReversingLabs
            giLqLXLHs3.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            klanet.duckdns.org5%VirustotalBrowse
            SourceDetectionScannerLabelLink
            http://klanet.duckdns.org:663/resource/version.tsv#downloadVoicePack#WindowBorderBrush0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://metro.mahapps.com/winfx/xaml/iconpacksp0%Avira URL Cloudsafe
            http://www.quickzip.org/BaseControlsx0%Avira URL Cloudsafe
            http://klanet.duckdns.org:663/resource/version.tsv#downloadVoicePack#WindowBorderBrush3%VirustotalBrowse
            http://metro.mahapps.com/winfx/xaml/iconpackseup0%Avira URL Cloudsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://metro.mahapps.com/winfx/xaml/iconpacks0%VirustotalBrowse
            http://klanet.duckdns.org:6630%Avira URL Cloudsafe
            http://www.quickzip.org/BaseControls0%Avira URL Cloudsafe
            http://klanet.duckdns.org:663/version0%Avira URL Cloudsafe
            http://klanet.duckdns.org:663/resource/version.tsv0%Avira URL Cloudsafe
            http://metro.mahapps.com/winfx/xaml/iconpacks0%Avira URL Cloudsafe
            https://design.googleGoogle0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            klanet.duckdns.org
            221.157.45.236
            truetrueunknown
            NameMaliciousAntivirus DetectionReputation
            http://klanet.duckdns.org:663/resource/version.tsvtrue
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://github.com/Templarian/MaterialDesign/blob/master/LICENSEgiLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.521156580.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://design.googlegiLqLXLHs3.exe, 00000000.00000003.254202440.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254322553.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254180030.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.254271837.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://github.com/MahApps/MahApps.Metro.IconPacks.git&giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmpfalse
                  high
                  http://klanet.duckdns.org:663/resource/version.tsv#downloadVoicePack#WindowBorderBrushgiLqLXLHs3.exetrue
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://materialdesignicons.com/giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.quickzip.org/BaseControlsxgiLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://schemas.xmlsoap.org/soap/envelope/giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://metro.mahapps.com/winfx/xaml/iconpackspgiLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://nlog-project.org/giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://www.newtonsoft.com/jsongiLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalse
                          high
                          https://github.com/MahApps/MahApps.Metro.IconPacks.gitgiLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.537357922.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://metro.mahapps.com/winfx/xaml/iconpacksgiLqLXLHs3.exefalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            unknown
                            http://metro.mahapps.com/winfx/xaml/iconpackseupgiLqLXLHs3.exe, 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.goodfont.co.krgiLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://www.nuget.org/packages/NLog.Web.AspNetCoregiLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://design.googleGooglegiLqLXLHs3.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              http://james.newtonking.com/projects/jsongiLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://klanet.duckdns.org:663giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://nlog-project.org/ws/TgiLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsepgiLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://gall.dcinside.com/micateam/1644952)giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://klanet.duckdns.org:663/versiongiLqLXLHs3.exetrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://nlog-project.org/dummynamespace/giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessagesgiLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.newtonsoft.com/jsonschemagiLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalse
                                          high
                                          https://www.nuget.org/packages/Newtonsoft.Json.BsongiLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalse
                                            high
                                            http://nlog-project.org/ws/giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.sandoll.co.krgiLqLXLHs3.exe, 00000000.00000002.544818086.000000000A24E000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.544737200.000000000A232000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTgiLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.quickzip.org/BaseControlsgiLqLXLHs3.exefalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegiLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://gall.dcinside.com/giLqLXLHs3.exe, 00000000.00000002.525163252.000000000330F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://github.com/Templarian/MaterialDesign/blob/master/LICENSE-giLqLXLHs3.exe, 00000000.00000003.275151839.0000000004179000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532888552.0000000005590000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.283786696.00000000047D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://nlog-project.org/ws/3giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://nlog-project.org/ws/5giLqLXLHs3.exe, 00000000.00000002.537390197.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.529086758.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.530861599.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://github.com/JamesNK/Newtonsoft.JsongiLqLXLHs3.exe, 00000000.00000003.245106817.0000000004059000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000003.244673513.0000000003E22000.00000004.00000800.00020000.00000000.sdmp, giLqLXLHs3.exe, 00000000.00000002.532173168.00000000053A0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            221.157.45.236
                                                            klanet.duckdns.orgKorea Republic of
                                                            4766KIXS-AS-KRKoreaTelecomKRtrue
                                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                                            Analysis ID:738927
                                                            Start date and time:2022-11-05 20:03:28 +01:00
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 7m 16s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:giLqLXLHs3.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal64.troj.evad.winEXE@1/0@1/1
                                                            EGA Information:Failed
                                                            HDC Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 98%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                            • Execution Graph export aborted for target giLqLXLHs3.exe, PID 6084 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            No simulations
                                                            No context
                                                            No context
                                                            No context
                                                            No context
                                                            No context
                                                            No created / dropped files found
                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.864152844370486
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:giLqLXLHs3.exe
                                                            File size:2366976
                                                            MD5:d7f34f1712688bb9564296842355a8b9
                                                            SHA1:1245a185de18808ef075297fc4740d7a3b7b6381
                                                            SHA256:c9944c04100d2b5d75b8bff00359b3bef6481bdb72d965032ac800d99cb4fe1a
                                                            SHA512:686e1a19c760f48dc029d7fea8a523817a88e05f503780b7e0270787d7dd2e87fdc0d080ba711bc38dbfecf2d8d001cd011d80f3826156eb4fe8728f56077ae1
                                                            SSDEEP:49152:TcGa5dzwr9jrwnkUeZw+W7SCYFllu0DcJ:LuUr9jrwn7eq2Fl/4J
                                                            TLSH:90B50218B2DABE2DDBAB25FD46B5E2A9DD77615D1319821F3047F322E8290C00F446DE
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|............."...0...#..~........#.. ........@.. .......................`$...........`................................
                                                            Icon Hash:ceb292d2d2d2d2d2
                                                            Entrypoint:0x63bc1e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x81A88C7C [Tue Dec 7 03:54:36 2038 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x23bbd00x4b.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x23c0000x7a6c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2440000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x23bb440x38.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x239c240x239e00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x23c0000x7a6c0x7c00False0.44137474798387094data6.562813008648801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x2440000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountry
                                                            RT_ICON0x23c1800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024
                                                            RT_ICON0x23c5f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304
                                                            RT_ICON0x23cf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                            RT_ICON0x23e0480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                            RT_ICON0x2406000x23a8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                            RT_GROUP_ICON0x2429b80x4cdata
                                                            RT_VERSION0x242a140x34cdata
                                                            RT_MANIFEST0x242d700xcf8XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                            DLLImport
                                                            mscoree.dll_CorExeMain
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 5, 2022 20:04:33.673718929 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:33.928922892 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:33.929167032 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:33.955842972 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.210021973 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210508108 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210542917 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210567951 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210593939 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210614920 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.210617065 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210640907 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210664034 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210685968 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210690975 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.210690975 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.210707903 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210731030 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.210740089 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.210774899 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.464986086 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465080023 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465141058 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465190887 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465192080 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465245008 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465277910 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465320110 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465359926 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465395927 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465399027 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465440989 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465440989 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465482950 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465527058 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465533972 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465568066 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465606928 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465615988 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465646982 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465687037 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465691090 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465727091 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465764999 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465770006 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465804100 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465856075 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.465857029 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465898037 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.465949059 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.720782042 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720823050 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720845938 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720869064 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720911980 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720953941 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.720993996 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.721034050 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.721067905 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.721072912 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.721112967 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:04:34.721148968 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:04:34.721196890 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:05:39.212266922 CET66349687221.157.45.236192.168.2.7
                                                            Nov 5, 2022 20:05:39.212785959 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:06:14.806737900 CET49687663192.168.2.7221.157.45.236
                                                            Nov 5, 2022 20:06:15.061157942 CET66349687221.157.45.236192.168.2.7
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 5, 2022 20:04:33.538115025 CET5834653192.168.2.78.8.8.8
                                                            Nov 5, 2022 20:04:33.651215076 CET53583468.8.8.8192.168.2.7
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 5, 2022 20:04:33.538115025 CET192.168.2.78.8.8.80xd662Standard query (0)klanet.duckdns.orgA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 5, 2022 20:04:33.651215076 CET8.8.8.8192.168.2.70xd662No error (0)klanet.duckdns.org221.157.45.236A (IP address)IN (0x0001)false
                                                            • klanet.duckdns.org:663
                                                            No statistics
                                                            Target ID:0
                                                            Start time:20:04:25
                                                            Start date:05/11/2022
                                                            Path:C:\Users\user\Desktop\giLqLXLHs3.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\giLqLXLHs3.exe
                                                            Imagebase:0x7f0000
                                                            File size:2366976 bytes
                                                            MD5 hash:D7F34F1712688BB9564296842355A8B9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.520653994.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.241342686.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            No disassembly