Windows Analysis Report g5tO58gHku.exe

C2 URLs / IPs found in malware configuration

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Malware configuration extractor

URLs: hicham157484.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: hicham157484.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.74.34.32:1994

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:51321

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: hicham157484.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

System Summary

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: g5tO58gHku.exe, 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe
Source: g5tO58gHku.exe	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: g5tO58gHku.exe, uuJguqNBkt.cs

Base64 encoded string: 'wXVQoCsf5HlA5KLSC6svPqkNYRDV04j3/uat00BMJiHdQp9fZH00DEj9TOroLx62PV7pTyMotl+yHeMqQbn5MA==', 'SLahgxO4mgId/WSbcqGlmObu2jUUMED2GnbhsPSV2GsCTDPBPhFwuH8JeezbULhaMlaerNi5WcAUo/MZJpwkXA==', 'MRjF9uKhMKOGTQW9eS4xwEiQ5Z3pg8Di1weKZlHiNBowWCZYiVWj/4eAcIM0gutNtDbelyA+zeYRfUr4qvOxhQeGulP8zWcc0YRE2Pmlz8s=', 'Thz3V2WUhdTsoIYCsEy+KDjYlFT3mQwWArVEN4EJAQgoeke7gnWYNobaiMb4ifmcVfDbcAN7FDSZIXV2V4CuFY7bKAJXQNy/RaUzKdGpHxfsJLz/PhcvegAmJU5+xUY638Uredi12FZEgqt8EFBBdJ+xxMMhbCdzDVtiG2G/cXEF6OORJnlIZKCZIJRlFrXpK846ljwv9q9GAbRH0eRWdxkxEkxcT1trmf1eTyJGOJZ3xxIpTN+aPWKZpJga7Gom1ildKTgxTeQWkao5przsNV1Yi5mRBwl/8sEfkgNeUIOPu/pP4z8PTr69iJsBbMmGpXuJsZdvFwTnbrJgroOtmfgSZq6IM7Bx8B3Qe9UU4TD8oHiUu1WjzaqmwWkGIu4Tr4Cq0/lkLmcJ9ojA4l/DmNe5qIvhe2//Y8hKVSQ4ZKOADp0jtGvrUFvSFjD1hzAuOS+feAO2dE1ix+EAIygVP0hzcmdLuqe3jPdL1/+8f/y6GdhXThqxSdm7fAXrV8jaFUzYwHGtwKSrVhm2M1xuxivTc6RdJ7B81YQBinW3GLXABWdO6CmuNj/ddTfkqxoecdHYDibOC2aU/8s6eFiLIepV9LhRhfpfWKFIwsZn7fBmtlfdf+hQ73Z0ZG7dRvTyBG3S8Nl3Lqcr6LeqAwFhwnHCVwzNMds4wSlwZnsKVLLqt8HfAp9kV0z6WrcLOFve5kRge83kN6JVYqLzxFNcVcGX8ys6P1yZA7yeK3huXbni7n1sn8+fmc7cyHtfQqQxrO1UQ/uONN502Zfkqm5PQAKtADz4rz6T/Hv1uNYLEJ7NZbrBVan1tXSrwJ/crmt6/+cXfBdgtdN+6qM1YCm+szWJADPouFDX08i4DwufGrlVXNMK91dB5emBf7ErzcWo6UNTW25KxTQO0zRy9917fSafQJinHRBGBmphYeDkZGkciY06BwOFo8ufQ3fP5GNLrPc1nikV3cGe7v+cECuVs1MTA3MolYfC35Oxtk8mv/7bV9F8Mi9G9Z5rHRPDr5bBBHa4/Jamwg300JWd42I1lysmxSwGrZ01skvew24SSA4PELzLIDoyNqM4xxdA7ExNfZq+DDG78j9RIU5zsx02tBoxHJIZGrqMh6SlQ/IqEp35VwlUWo+ce7CM9AesTqMzyLS0KSLT3VWf8ZT/kfeFLkgUHiHqil/1CJU2+KyVilzol+bMay9aK6Oq+MMqzwPCLiZvtfJG2XUbDGo9n0vxckdnTM6FCWqnwznpNQmDCYVh1gfyqsSBhY7/M64crW5QAUYsYuNIIBsVMOM9kldGjTer0QOn4ttJxEKgwh+jmBWB/DTcS4ZS0UhsjPweE96Gd56yWtvSdWSyrLo8SzmfBXlaHvaxRZjXq2AB/6aPS5u8na4Fdq6tLjtCdR6uRzJqfRbrcKI/huQIPM1XfPBHarysLt6uF5pcnd8RHNJbDy9m65voweDCGF17SDhziDKsuoo4rAwCHvq6IWzrDtgFP0fcIkDWhLYO19Yy4o2j4XkdrhU2FOi2YnwP/HyDYfJ//rXmC8dA/Irm/ODbH4EOdbg6vRHgaq8vhOdMOEybz4YCdTPA/3F0Lg44zML9QUZxc9wicREAkTgQV0Ep+nmktHXTowdGjemZF3ar18EwsB1BITIhrijXVUIP6YpliNa3zgIE8ECP3wrbDx1qZh6vsNHZ21ZqBAaXRS3HFVzOZCtgRVuBpOdKSG2lhCDXCZlZf9MW+90M+ChKcO3L57auVOg5ANnuMgp8d8v7d4lqI/aGh6tTj1/x1J5pVW3N4aV+tExq5seM7E0pbSCmpng87WnHfSyqOr0K2tTABsIUXUUswrKhLWxU7pa2Wphcq4QqQPpt/u9su7rhYFrwNXDw0Jpy3nw7R7zyg8ZP/S0K8kd20UA0sOZEwXcKAiv2uLyII6oktmqu4rgerUifL8GtuZvt/T3btVjERtiRODCCLGn+3aeNWoxLTGV7xq127S+PAlDaWWr8nQfBAg2599TiiiyNOkRv/E0HOT5Xw5xKiLGaJrfnn7G8sIu6uweT/aTl7U6WQh1w3l0ZmEn2c3s/BOTOJh+M+cGJ67aZwho519L158V+3vZ4hVShDU/rpB50ZdKGZb64NPPrTqPSb1KRcTDhCsKx3J4zNYsBnFr81zsfDFXA+FeAyq+gFm2F1+sBwyeBKvmuABlYVTZ7R2aqYxr3eJyPXF3DMo8+HgH6BkwNDOWrqgl0MKAXMLDoiDBmK68iCVM6roWPKZqFnMwvx+cX+V2jJ3r9cfclL/oj5hNp8iMEHuVz+TPqcYuqGFIdHQIWptEtwJtqophf6nLx3Mic7gwXTVsrMgM7dZBe7uk=', 'QXF7oKzB62+F/rC6O2myfOH5PTRR3qRk2JDogjRXT6UP/ewOoVAnKxDRiX19Ft1fKoTFr9oNiV0rshkDC0u/x3ri/5X7JwzzQ1NOcNimoj82dadd6OVd5uohNihz8jG9N0//SEqWtfX4so034gu85kOUsQ4jmv1qFr5RCmqC0+z2CKXeLjQsRMYUcMnL+NC6CL0qDgpDAJtn39qa0nEla1GI6EEMt8j6ou37IbJqXg8+0W+blBCTwtkzqHaGTUh+XaEx9yOUzWDzIU3LrTYU5CPImPTmYk9Gva8mxey5r/e299FkJY1JsxZsrebKXihkLwtKJsbqBizq+3lt/gvwVU5Hxo+y9X5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: \Sessions\1\BaseNamedObjects\DETDSVSEFF555_6SSDFSDF

Source: g5tO58gHku.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: g5tO58gHku.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: g5tO58gHku.exe	ReversingLabs: Detection: 86%
Source: g5tO58gHku.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: schannel.dll	Jump to behavior

Source: g5tO58gHku.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: g5tO58gHku.exe, UEEQjljDnMAmdU.cs

High entropy of concatenated method names: 'zxVMFHwJRCAkE', 'rAQAwYjrswzkw', 'PHjybnldWPF', 'oYnTfUHZxktNL', 'cmRIaMNQYTR', 'ZklGLMATLyywZ', 'IdZcStpZYJmagK', 'bynGmBXYGfMe', 'vdGKaQZyFOgOOeC', 'ZldBPExDCQYvgtX'

Boot Survival

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Source: g5tO58gHku.exe

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\g5tO58gHku.exe TID: 7412

Thread sleep time: -35000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\g5tO58gHku.exe

File Volume queried: C:\ FullSizeInformation

Source: g5tO58gHku.exe	Binary or memory string: vmware
Source: g5tO58gHku.exe, 00000000.00000002.2913332670.0000000001574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Memory allocated: page read and write | page guard

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Queries volume information: C:\Users\user\Desktop\g5tO58gHku.exe VolumeInformation

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.74.34.32	hicham157484.ddns.net	United States		9009	M247GB	true

Contacted Domains

Name	IP	Active
hicham157484.ddns.net	45.74.34.32	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
hicham157484.ddns.net	true	8%, Virustotal, Browse	unknown

AV Detection

Source: g5tO58gHku.exe

Avira: detected

Found malware configuration

Source: g5tO58gHku.exe

Multi AV Scanner detection for domain / URL

Source: hicham157484.ddns.net	Virustotal: Detection: 8%			Perma Link
Source: hicham157484.ddns.net	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for submitted file

Source: g5tO58gHku.exe	ReversingLabs: Detection: 86%
Source: g5tO58gHku.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: g5tO58gHku.exe

Joe Sandbox ML: detected

C2 URLs / IPs found in malware configuration

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Malware configuration extractor

URLs: hicham157484.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: hicham157484.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.74.34.32:1994

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:51321

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: hicham157484.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

System Summary

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: g5tO58gHku.exe, 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe
Source: g5tO58gHku.exe	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: g5tO58gHku.exe, uuJguqNBkt.cs

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: \Sessions\1\BaseNamedObjects\DETDSVSEFF555_6SSDFSDF

Source: g5tO58gHku.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: g5tO58gHku.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: g5tO58gHku.exe	ReversingLabs: Detection: 86%
Source: g5tO58gHku.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: schannel.dll	Jump to behavior

Source: g5tO58gHku.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: g5tO58gHku.exe, UEEQjljDnMAmdU.cs

Boot Survival

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Source: g5tO58gHku.exe

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\g5tO58gHku.exe TID: 7412

Thread sleep time: -35000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\g5tO58gHku.exe

File Volume queried: C:\ FullSizeInformation

Source: g5tO58gHku.exe	Binary or memory string: vmware
Source: g5tO58gHku.exe, 00000000.00000002.2913332670.0000000001574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Memory allocated: page read and write | page guard

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Queries volume information: C:\Users\user\Desktop\g5tO58gHku.exe VolumeInformation

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings