Windows Analysis Report
EeXJoO1J62.exe

AI detected suspicious sample

Source: Yara match	File source: EeXJoO1J62.exe, type: SAMPLE
Source: Yara match	File source: 5.0.EeXJoO1J62.exe.29cae270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1277758910.0000029CAE272000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EeXJoO1J62.exe PID: 5348, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.2% probability

Machine Learning detection for sample

Source: EeXJoO1J62.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.11:49708 version: TLS 1.2

Source: EeXJoO1J62.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\EeXJoO1J62.PDB9b source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbU source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: m.pdbp source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Web.Extensions.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: b77a5c561934e089\mscorlib.pdb= source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdbp source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.pdb(\Q source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: C:\Users\user\Desktop\EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCBB2.tmp.dmp.10.dr

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: LIAfAmPHO7MZvdbGNUjUIA==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: Joe Sandbox View

IP Address: 162.159.136.234 162.159.136.234

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: LIAfAmPHO7MZvdbGNUjUIA==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: global traffic

DNS traffic detected: DNS query: gateway.discord.gg

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:17:31 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HBv8kCeayGbSWq83pLURg8O3N%2BCCAP7700C1t4UkzRDbQhn1%2F6Nxoztt%2FqCGLZccD7heg3sKnKx7UJa71SJDRBpPhEHHurzXjU%2BJ0Sg3UlAt1mHoDzLc3ke4g5gytfzaZZbG0Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8edb2eee9e13330c-EWR

Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gateway.discord.gg
Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: EeXJoO1J62.exe	String found in binary or memory: http://www.google.com/maps/place/
Source: EeXJoO1J62.exe	String found in binary or memory: https://discord.com/api/v9/channels/
Source: EeXJoO1J62.exe	String found in binary or memory: https://discord.com/api/v9/guilds/
Source: EeXJoO1J62.exe	String found in binary or memory: https://file.io/
Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg
Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
Source: EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
Source: EeXJoO1J62.exe	String found in binary or memory: https://geolocation-db.com/json
Source: EeXJoO1J62.exe	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
Source: EeXJoO1J62.exe	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
Source: EeXJoO1J62.exe	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
Source: EeXJoO1J62.exe	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
Source: EeXJoO1J62.exe	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.11:49708 version: TLS 1.2

E-Banking Fraud

Source: Yara match	File source: EeXJoO1J62.exe, type: SAMPLE
Source: Yara match	File source: 5.0.EeXJoO1J62.exe.29cae270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1277758910.0000029CAE272000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EeXJoO1J62.exe PID: 5348, type: MEMORYSTR

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Code function: 5_2_00007FFE7E1312E0	5_2_00007FFE7E1312E0
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Code function: 5_2_00007FFE7E1312D1	5_2_00007FFE7E1312D1
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Code function: 5_2_00007FFE7E1313FB	5_2_00007FFE7E1313FB
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Code function: 5_2_00007FFE7E1313D3	5_2_00007FFE7E1313D3

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5348 -s 2332

Source: EeXJoO1J62.exe

Static PE information: No import functions for PE file found

Source: EeXJoO1J62.exe, 00000005.00000000.1277758910.0000029CAE286000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameDiscord rat.exe8 vs EeXJoO1J62.exe
Source: EeXJoO1J62.exe	Binary or memory string: OriginalFilenameDiscord rat.exe8 vs EeXJoO1J62.exe

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5348

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\91c03ba9-ca1b-447d-8d43-e403c862b65f

Source: EeXJoO1J62.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EeXJoO1J62.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: EeXJoO1J62.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

File read: C:\Users\user\Desktop\EeXJoO1J62.exe

Source: unknown	Process created: C:\Users\user\Desktop\EeXJoO1J62.exe "C:\Users\user\Desktop\EeXJoO1J62.exe"
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5348 -s 2332

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: EeXJoO1J62.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EeXJoO1J62.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: EeXJoO1J62.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\EeXJoO1J62.PDB9b source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbU source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: m.pdbp source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Web.Extensions.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: b77a5c561934e089\mscorlib.pdb= source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdbp source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.pdb(\Q source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8991000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: C:\Users\user\Desktop\EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: EeXJoO1J62.PDB source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: EeXJoO1J62.exe, 00000005.00000002.1578769033.0000029CC8A17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: EeXJoO1J62.exe, 00000005.00000002.1577385395.000000BA5B1F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCBB2.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCBB2.tmp.dmp.10.dr

Data Obfuscation

Source: EeXJoO1J62.exe, Program.cs	.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
Source: EeXJoO1J62.exe, Program.cs	.Net Code: password
Source: EeXJoO1J62.exe, Program.cs	.Net Code: webcampic
Source: EeXJoO1J62.exe, Program.cs	.Net Code: select_cam
Source: EeXJoO1J62.exe, Program.cs	.Net Code: get_cams
Source: EeXJoO1J62.exe, Program.cs	.Net Code: get_tokens

Source: EeXJoO1J62.exe

Static PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Code function: 5_2_00007FFE7E1300BD pushad ; iretd

5_2_00007FFE7E1300C1

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Memory allocated: 29CAFD70000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Memory allocated: 29CC7F20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe TID: 5752	Thread sleep count: 314 > 30			Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe TID: 5116	Thread sleep count: 174 > 30			Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: EeXJoO1J62.exe, 00000005.00000002.1577846920.0000029CAE499000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ"
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Queries volume information: C:\Users\user\Desktop\EeXJoO1J62.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\EeXJoO1J62.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\EeXJoO1J62.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality to disable the Task Manager (.Net Source)

Lowering of HIPS / PFW / Operating System Security Settings

Source: EeXJoO1J62.exe, Program.cs

.Net Code: DisableTaskManager

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: EeXJoO1J62.exe, type: SAMPLE
Source: Yara match	File source: 5.0.EeXJoO1J62.exe.29cae270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1277758910.0000029CAE272000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EeXJoO1J62.exe PID: 5348, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: EeXJoO1J62.exe, type: SAMPLE
Source: Yara match	File source: 5.0.EeXJoO1J62.exe.29cae270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1277758910.0000029CAE272000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EeXJoO1J62.exe PID: 5348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
EeXJoO1J62.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DiscordRAT
EeXJoO1J62.exe	100%	Avira	TR/Agent.lsgui
EeXJoO1J62.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gateway.discord.gg	162.159.136.234	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gateway.discord.gg/?v=9&encording=json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://geolocation-db.com/json	EeXJoO1J62.exe	false	high
https://file.io/	EeXJoO1J62.exe	false	high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte	EeXJoO1J62.exe	false	high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll	EeXJoO1J62.exe	false	high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d	EeXJoO1J62.exe	false	high
https://gateway.discord.gg:443/?v=9&encording=json	EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFF21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.10.dr	false	high
http://gateway.discord.gg	EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gateway.discord.gg	EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFB9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll	EeXJoO1J62.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFF21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/channels/	EeXJoO1J62.exe	false	high
https://gateway.discord.gg/?v=9&encording=jsonX	EeXJoO1J62.exe, 00000005.00000002.1578328505.0000029CAFFB9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/guilds/	EeXJoO1J62.exe	false	high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra	EeXJoO1J62.exe	false	high
http://www.google.com/maps/place/	EeXJoO1J62.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.136.234	gateway.discord.gg	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569807
Start date and time:	2024-12-06 10:16:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EeXJoO1J62.exe renamed because original name is a hash value
Original Sample Name:	6c7dfceb22fe0ef78835f29e53ae6b3e.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EeXJoO1J62.exe, PID 5348 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: EeXJoO1J62.exe

Simulations

Behavior and APIs

Time	Type	Description
04:17:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.136.234	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse
	http://relay.csgoze520.com/	Get hash	malicious	Unknown	Browse
	https://hkdiscord.antsoon.com/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Stealer.1210.4443.27895.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	http://www.cyclic.sh/pricing	Get hash	malicious	HTMLPhisher	Browse
	bang_executor.exe	Get hash	malicious	Dicrord Rat	Browse
	noway-2D8EB.exe	Get hash	malicious	Dicrord Rat	Browse
	SecuriteInfo.com.Exploit.Shell.29354.24275.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Exploit.Shell.29354.24275.exe	Get hash	malicious	Unknown	Browse
	1EdVSOmvh0.exe	Get hash	malicious	Dicrord Rat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gateway.discord.gg	gcrY4QgzW9.exe	Get hash	malicious	Discord Rat	Browse	162.159.135.234
	XZaysgiUfm.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	SecuriteInfo.com.Win64.MalwareX-gen.18133.14409.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	BX7yRz7XqF.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	162.159.135.234
	jKSjtQ8W7O.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	162.159.135.234
	U7TJ7Rq13y.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	162.159.133.234
	Sv6eQZzG0Z.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	162.159.135.234
	https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.136.234
	https://mjj.aigc369.com/	Get hash	malicious	Unknown	Browse	162.159.133.234
	http://relay.csgoze520.com/	Get hash	malicious	Unknown	Browse	162.159.136.234

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	gcrY4QgzW9.exe	Get hash	malicious	Discord Rat	Browse	162.159.135.234
	XZaysgiUfm.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	pn866G3CCj.lnk	Get hash	malicious	Unknown	Browse	104.21.21.242
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	172.67.178.93
	vZAhXkWkDT.lnk	Get hash	malicious	Unknown	Browse	104.21.21.242
	Voicemail_+Transcription001799.docx	Get hash	malicious	Unknown	Browse	104.21.96.1
	REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	http://www.javatpoint.com.cach3.com/	Get hash	malicious	Unknown	Browse	104.21.43.239
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	gcrY4QgzW9.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	XZaysgiUfm.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.234
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	162.159.136.234
	Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	162.159.136.234
	NewOrder12052024.js	Get hash	malicious	Remcos	Browse	162.159.136.234
	16547.js	Get hash	malicious	MassLogger RAT	Browse	162.159.136.234
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.234
	965600.invoice.exe	Get hash	malicious	FormBook	Browse	162.159.136.234
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	162.159.136.234

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EeXJoO1J62.exe_b1f826acfe3b9f749d2c8e7f4361d5743169d4d_ea21c302_e0266a44-88f5-489b-9012-6116fc9f08b0\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.165789510559808
Encrypted:	false
SSDEEP:	192:ZurR3P08rLVkaWQdl/N6fmzuiFWZ24lO8M:crRs8rLVkar/gfmzuiFWY4lO8M
MD5:	81CB8E2047F094EB7E2F84050C759812
SHA1:	D02AC7C2B652712F05A3195E2692284F070ECD7B
SHA-256:	6C2BA02942BFF18C80093E6A69DFD81C31ED18731BC36490CB258393A6D34D7B
SHA-512:	3252A0A3531E757EDFD5654D126A05825A7ECD3FFBB9C7B1A6D8E12F8440318DB2EE38EC5A40CDD3A9DB130AE0A950D9FEA5EC76810251861CD5824FBF5FDD24
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.5.0.2.5.1.4.4.7.2.1.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.5.0.2.5.2.2.2.8.4.6.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.2.6.6.a.4.4.-.8.8.f.5.-.4.8.9.b.-.9.0.1.2.-.6.1.1.6.f.c.9.f.0.8.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.3.5.7.f.8.e.-.5.2.3.8.-.4.3.5.a.-.b.3.7.f.-.3.c.7.4.a.f.d.4.6.9.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.e.X.J.o.O.1.J.6.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.4.-.0.0.0.1.-.0.0.1.3.-.8.d.b.e.-.9.7.a.b.b.f.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.c.8.b.2.9.0.b.0.e.c.6.7.a.3.c.a.d.f.a.6.7.6.6.c.f.1.e.6.3.0.4.1.4.c.1.c.6.1.c.1.!.E.e.X.J.o.O.1.J.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBB2.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Dec 6 09:17:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	549241
Entropy (8bit):	2.919222473496267
Encrypted:	false
SSDEEP:	3072:xOVgdchwPICEKoVmfyBOXpIymdSZly6s+oRrwg4yUP7lwxcSER8Fu1CCqKE6zu3a:Tc2zEwYLhDhe8aqyu3QjY
MD5:	3A39EAFCB078574B200C7D37D955E915
SHA1:	65AE2802A81AA1953909012EAE770B2215E6D513
SHA-256:	EE1B7512AB9E509CEDD97D4B3EAE3847B4A1CC10141CC596D57E93D6C4127149
SHA-512:	A5CD2221FB1F94FBA0D2F3832C57C087577BAA0F5A4B9C410B304187D4309D9202667CCC96AEEBEE05F0CF59FC0A572D13B2BE71F6E5F7F1FA58B6EBB2A1545F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......+.Rg....................................<....)..........H).......?..............l.......8...........T...........([..Q...........T4..........@6..............................................................................eJ.......6......Lw......................T...........(.Rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC6.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8802
Entropy (8bit):	3.7043311082371164
Encrypted:	false
SSDEEP:	192:R6l7wVeJO9xy6Ye3LkZwgmfZMEDKprO89btJ0fzvm:R6lXJsE6Y+LQwgmf5DYt6fS
MD5:	83D4BA93B77D2B2AB0D20916A1E61B50
SHA1:	0AE33DE18F5BCBCB9B0C285D26DBCEAC21BE3496
SHA-256:	053FE77F02B720463803840E37C7EC9A5C6A874DBDA96694F0DD2557330B3AC5
SHA-512:	A5C0B2462463356196358AD62BE86AF6A03904FE327074B11A67C100C98B4A93B664C01A73FCC84B507086AC74FF6D2B2946F61B37F0B7305056EC6463B124F2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE25.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4806
Entropy (8bit):	4.482777063228815
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZQJg771I9a9WpW8VYOYm8M4Jj4b6Ftyq8vW4b1SGbcend:uIjfwI7pM7VGJUaWNJXbcend
MD5:	83A1DD26C25BF7BC6187325ACEA1839A
SHA1:	C6688338EDE15AED4B13F0A3E8B545B66F62CF89
SHA-256:	BBB21DD67E8500863A24E227DF78DC01F3E4D0F6982AA3C6D4F481ED1897A148
SHA-512:	60992884F0633A4C094E35C5E07FD181698DF840B73350234F4CBCAAE5DDDDFAEB918EB9C0FE601F4D813B3B80550774188662F3F6A5DD67669680B1BEE501DA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="619220" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve