Windows Analysis Report
noway-2D8EB.exe

Machine Learning detection for dropped file

Source: Yara match	File source: 9.0.sussy.exe.2422d870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noway-2D8EB.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sussy.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\sussy.exe, type: DROPPED

Source: C:\Users\user\Desktop\sussy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: noway-2D8EB.exe

Joe Sandbox ML: detected

Source: noway-2D8EB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: noway-2D8EB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: noway-2D8EB.exe
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb) source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\sussy.PDBbM source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b77a5c561934e089\mscorlib.pdb source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc*] source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbE+ source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Web.Extensions.pdbSystem.Configuration.ni.dllY9 source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdbvN+ source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp, WER35BE.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\sussy.PDB source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\sussy.PDB source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdb0 source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: sussy.PDB- source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdbk& source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb- source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb,M source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER35BE.tmp.dmp.13.dr

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BA7E7 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_003BA7E7
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CBB70 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_003CBB70
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003DADB8 FindFirstFileExA,	0_2_003DADB8

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: D0YK8HmHP5rKTOPjzu7lbQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: Joe Sandbox View

IP Address: 162.159.136.234 162.159.136.234

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: D0YK8HmHP5rKTOPjzu7lbQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: unknown

DNS traffic detected: queries for: gateway.discord.gg

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Feb 2024 15:19:45 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BUQo5rIaIubgmomkA7C3bM8tc32zzRG29cMO0DvA1Z3ncPtAHABGe8XFkLsrT7nJpItXDaSn3jHue1wwZs8T%2F7mxC6ZvYcDi24g2kBF%2BPTzRyiEby2ketsW830R9BjUWYJ61Sg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8524da4c89bc53c1-ATL

Source: sussy.exe, 00000009.00000002.1745496307.000002422F6F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gateway.discord.gg
Source: sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: http://www.google.com/maps/place/
Source: sussy.exe.0.dr	String found in binary or memory: https://discord.com/api/v9/channels/
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://discord.com/api/v9/guilds/
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://file.io/
Source: sussy.exe, 00000009.00000002.1745496307.000002422F6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg
Source: sussy.exe, 00000009.00000002.1745496307.000002422F6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
Source: sussy.exe, 00000009.00000002.1745496307.000002422F6D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
Source: sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://geolocation-db.com/json
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.7:49699 version: TLS 1.2

E-Banking Fraud

Source: Yara match	File source: 9.0.sussy.exe.2422d870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noway-2D8EB.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sussy.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\sussy.exe, type: DROPPED

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003B71E6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_003B71E6

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003B8709	0_2_003B8709
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C6887	0_2_003C6887
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BC017	0_2_003BC017
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D009A	0_2_003D009A
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BE147	0_2_003BE147
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D1218	0_2_003D1218
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003B3206	0_2_003B3206
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C72FF	0_2_003C72FF
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003DD35E	0_2_003DD35E
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003E1464	0_2_003E1464
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BE57B	0_2_003BE57B
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D0596	0_2_003D0596
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003B276D	0_2_003B276D
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D09AE	0_2_003D09AE
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D4A0A	0_2_003D4A0A
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C3A02	0_2_003C3A02
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BEB7B	0_2_003BEB7B
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D4C39	0_2_003D4C39
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C3C7D	0_2_003C3C7D
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BFC43	0_2_003BFC43
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C6CBC	0_2_003C6CBC
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D0DE3	0_2_003D0DE3
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C5EB8	0_2_003C5EB8
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003B5EBC	0_2_003B5EBC
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003DCEB0	0_2_003DCEB0
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003C3FAE	0_2_003C3FAE
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003B3FFE	0_2_003B3FFE
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BEFEF	0_2_003BEFEF
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC6912E0	9_2_00007FFAAC6912E0
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC6912D1	9_2_00007FFAAC6912D1
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC6913FB	9_2_00007FFAAC6913FB
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC6913D3	9_2_00007FFAAC6913D3

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: String function: 003CE630 appears 54 times
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: String function: 003CE554 appears 35 times
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: String function: 003CEFB0 appears 31 times

Source: C:\Users\user\Desktop\sussy.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7516 -s 2332

Source: sussy.exe.0.dr

Static PE information: No import functions for PE file found

Source: noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameDiscord rat.exe8 vs noway-2D8EB.exe

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Section loaded: gpapi.dll	Jump to behavior

Source: noway-2D8EB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003B6EA8 GetLastError,FormatMessageW,

0_2_003B6EA8

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003CA07C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_003CA07C

Source: C:\Users\user\Desktop\noway-2D8EB.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5708906

Source: C:\Users\user\Desktop\sussy.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7516

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8a458676-38dd-4574-bfc8-2640ae9f92ff

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Command line argument: sfxname	0_2_003CD891
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Command line argument: sfxstime	0_2_003CD891
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Command line argument: STARTDLG	0_2_003CD891
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Command line argument: xj@	0_2_003CD891

Source: noway-2D8EB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\noway-2D8EB.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: noway-2D8EB.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\noway-2D8EB.exe

File read: C:\Users\user\Desktop\noway-2D8EB.exe

Source: unknown	Process created: C:\Users\user\Desktop\noway-2D8EB.exe C:\Users\user\Desktop\noway-2D8EB.exe
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Process created: C:\Users\user\Desktop\sussy.exe "C:\Users\user\Desktop\sussy.exe"
Source: C:\Users\user\Desktop\sussy.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7516 -s 2332
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Process created: C:\Users\user\Desktop\sussy.exe "C:\Users\user\Desktop\sussy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\sussy.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: noway-2D8EB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: noway-2D8EB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: noway-2D8EB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: noway-2D8EB.exe
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb) source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\sussy.PDBbM source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b77a5c561934e089\mscorlib.pdb source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc*] source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbE+ source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Web.Extensions.pdbSystem.Configuration.ni.dllY9 source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdbvN+ source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp, WER35BE.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\sussy.PDB source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\sussy.PDB source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: sussy.exe, 00000009.00000002.1748182123.00000242481F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.pdb0 source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: sussy.PDB- source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdbk& source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: sussy.exe, 00000009.00000002.1744890869.000000AFC89F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb- source: sussy.exe, 00000009.00000002.1748182123.0000024248210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER35BE.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb,M source: sussy.exe, 00000009.00000002.1748182123.0000024248255000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER35BE.tmp.dmp.13.dr

Source: noway-2D8EB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: noway-2D8EB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: noway-2D8EB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: noway-2D8EB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: noway-2D8EB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: sussy.exe.0.dr, Program.cs	.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
Source: sussy.exe.0.dr, Program.cs	.Net Code: password
Source: sussy.exe.0.dr, Program.cs	.Net Code: webcampic
Source: sussy.exe.0.dr, Program.cs	.Net Code: select_cam
Source: sussy.exe.0.dr, Program.cs	.Net Code: get_cams
Source: sussy.exe.0.dr, Program.cs	.Net Code: get_tokens

Source: sussy.exe.0.dr

Static PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]

Source: C:\Users\user\Desktop\noway-2D8EB.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5708906

Source: noway-2D8EB.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CE554 push eax; ret	0_2_003CE572
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CEFF6 push ecx; ret	0_2_003CF009
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC693F9D push ebx; retf 000Bh	9_2_00007FFAAC693FCA
Source: C:\Users\user\Desktop\sussy.exe	Code function: 9_2_00007FFAAC693FFD push ebx; retf 000Bh	9_2_00007FFAAC693FCA

Source: C:\Users\user\Desktop\noway-2D8EB.exe

File created: C:\Users\user\Desktop\sussy.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sussy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\sussy.exe	Memory allocated: 2422DBB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Memory allocated: 24247640000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\sussy.exe TID: 7588	Thread sleep count: 274 > 30			Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe TID: 7588	Thread sleep count: 177 > 30			Jump to behavior

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003BA7E7 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_003BA7E7
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CBB70 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_003CBB70
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003DADB8 FindFirstFileExA,	0_2_003DADB8

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003CE03A VirtualQuery,GetSystemInfo,

0_2_003CE03A

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: sussy.exe, 00000009.00000002.1745152149.000002422D9F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: noway-2D8EB.exe, 00000000.00000002.1301013340.0000000002A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\noway-2D8EB.exe

API call chain: ExitProcess graph end node

graph_0-23918

Source: C:\Users\user\Desktop\sussy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003CF1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003CF1B5

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003D780E mov eax, dword ptr fs:[00000030h]

0_2_003D780E

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003DBAA0 GetProcessHeap,

0_2_003DBAA0

Source: C:\Users\user\Desktop\sussy.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CF1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003CF1B5
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CF303 SetUnhandledExceptionFilter,	0_2_003CF303
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003CF4CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003CF4CB
Source: C:\Users\user\Desktop\noway-2D8EB.exe	Code function: 0_2_003D898F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003D898F

Source: C:\Users\user\Desktop\sussy.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Process created: C:\Users\user\Desktop\sussy.exe "C:\Users\user\Desktop\sussy.exe"

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003CF00B cpuid

0_2_003CF00B

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_003CA8CC

Source: C:\Users\user\Desktop\sussy.exe	Queries volume information: C:\Users\user\Desktop\sussy.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\sussy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003CD891 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_003CD891

Source: C:\Users\user\Desktop\noway-2D8EB.exe

Code function: 0_2_003BAEE5 GetVersionExW,

0_2_003BAEE5

Source: C:\Users\user\Desktop\sussy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality to disable the Task Manager (.Net Source)

Lowering of HIPS / PFW / Operating System Security Settings

Source: sussy.exe.0.dr, Program.cs

.Net Code: DisableTaskManager

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 9.0.sussy.exe.2422d870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noway-2D8EB.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sussy.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\sussy.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 9.0.sussy.exe.2422d870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noway-2D8EB.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sussy.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\sussy.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
noway-2D8EB.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
noway-2D8EB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\sussy.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://discord.com/api/v9/channels/	0%	Avira URL Cloud	safe
https://geolocation-db.com/json	0%	Avira URL Cloud	safe
https://discord.com/api/v9/guilds/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d	100%	Avira URL Cloud	malware
https://gateway.discord.gg/?v=9&encording=jsonX	0%	Avira URL Cloud	safe
https://gateway.discord.gg/?v=9&encording=json	0%	Avira URL Cloud	safe
https://gateway.discord.gg:443/?v=9&encording=json	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll	100%	Avira URL Cloud	malware
https://gateway.discord.gg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte	100%	Avira URL Cloud	malware
http://gateway.discord.gg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gateway.discord.gg	162.159.136.234	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gateway.discord.gg/?v=9&encording=json	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://geolocation-db.com/json	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://file.io/	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false		high
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: malware	unknown
https://gateway.discord.gg:443/?v=9&encording=json	sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.13.dr	false		high
http://gateway.discord.gg	sussy.exe, 00000009.00000002.1745496307.000002422F6F5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gateway.discord.gg	sussy.exe, 00000009.00000002.1745496307.000002422F6D9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/channels/	sussy.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://gateway.discord.gg/?v=9&encording=jsonX	sussy.exe, 00000009.00000002.1745496307.000002422F6D9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/guilds/	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000002.1745496307.000002422F641000.00000004.00000800.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false	Avira URL Cloud: malware	unknown
http://www.google.com/maps/place/	noway-2D8EB.exe, 00000000.00000003.1253793520.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, sussy.exe, 00000009.00000000.1297486569.000002422D872000.00000002.00000001.01000000.00000009.sdmp, sussy.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.136.234	gateway.discord.gg	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1389215
Start date and time:	2024-02-08 16:18:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	noway-2D8EB.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@4/7@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 125 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target sussy.exe, PID 7516 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: noway-2D8EB.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.136.234	SecuriteInfo.com.Exploit.Shell.29354.24275.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Exploit.Shell.29354.24275.exe	Get hash	malicious	Unknown	Browse
	1EdVSOmvh0.exe	Get hash	malicious	Dicrord Rat	Browse
	YEM2yTzOK9.exe	Get hash	malicious	Dicrord Rat	Browse
	https://pub-6fbff04eeb6c444fa79c22c8c01d96e2.r2.dev/loginonlinemicrosoffice.html	Get hash	malicious	Unknown	Browse
	http://binaecn.com	Get hash	malicious	Unknown	Browse
	XQDo1PTnRJ.exe	Get hash	malicious	Unknown	Browse
	downloader.exe	Get hash	malicious	Discord Token Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gateway.discord.gg	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.133.234
	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.135.234
	SecuriteInfo.com.Python.Agent-LZ.20719.17498.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	162.159.135.234
	tools.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.134.234
	tools.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.134.234
	iostream.exe	Get hash	malicious	Binder HackTool, Blank Grabber, Dicrord Rat, Quasar	Browse	162.159.135.234
	Free_Nitro.exe	Get hash	malicious	Python Stealer, Blank Grabber, Discord Token Stealer	Browse	162.159.134.234
	spoofer.exe	Get hash	malicious	Blank Grabber, Dicrord Rat, Umbral Stealer	Browse	162.159.133.234
	1EdVSOmvh0.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.136.234

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	INV-0484 #U00a323,950.00.html	Get hash	malicious	Unknown	Browse	172.64.207.38
	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.133.234
	cRcQFPRvB5.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	OriginalMessage.txt.msg	Get hash	malicious	Unknown	Browse	104.18.7.145
	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.135.234
	a6dezbyIs4.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.41.83
	iWqtW5RXqa.exe	Get hash	malicious	FormBook	Browse	104.21.50.164
	Order nr. 400289593_0.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	0ckZJf9ir5.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.136.234
	cRcQFPRvB5.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.159.136.234
	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse	162.159.136.234
	Transfer-Factura-6556542248.263.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.159.136.234
	Order nr. 400289593_0.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	162.159.136.234
	0ckZJf9ir5.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.159.136.234
	BCP Council Team Kinetic.html	Get hash	malicious	Unknown	Browse	162.159.136.234
	http://uptick4567.lol	Get hash	malicious	HTMLPhisher	Browse	162.159.136.234
	N4PSobGhBi.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.234

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sussy.exe_b2506a837a448299ce824c3b2ab052ea6d56c7_c5caf53a_cf7a9ae2-e54e-4b50-b493-8a07e76862d1\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1609155238214508
Encrypted:	false
SSDEEP:	192:Sq54z9P08rLV8aeQdl/N6fmzuiF8Z24lO8E:X54zG8rLV8aT/gfmzuiF8Y4lO8E
MD5:	F152BAA4E680457DFE8A11044A5C8043
SHA1:	826655E3A360539ACFAFD844B660FAEA4B1D2722
SHA-256:	8E2FE917BDBEBB067314C3CE51C53503BAA75F8F1DA3827C6C58904D84367AF3
SHA-512:	D17145FF0CAF9F49A39FA4B63CFBCF6DCCA154CAFE81D22322BDF24A6B7F1016267053B0DEBD9F988222ABD4533F9043BFDA048370591EC9769E63F3354D165B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.1.8.7.9.1.8.5.1.8.3.0.3.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.1.8.7.9.1.8.6.1.6.7.4.0.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.7.a.9.a.e.2.-.e.5.4.e.-.4.b.5.0.-.b.4.9.3.-.8.a.0.7.e.7.6.8.6.2.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.e.5.6.4.e.0.-.c.7.c.c.-.4.b.4.b.-.b.e.8.2.-.0.3.3.4.7.e.e.a.f.4.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.u.s.s.y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.c.-.0.0.0.1.-.0.0.1.4.-.0.c.7.a.-.f.6.3.d.a.2.5.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.5.c.5.5.8.7.9.a.c.3.4.e.e.4.b.7.b.0.8.d.a.7.a.9.4.2.b.9.8.7.6.f.7.2.9.6.b.9.!.s.u.s.s.y...e.x.e.....T.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER35BE.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Feb 8 15:19:45 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	554149
Entropy (8bit):	2.9027338325632317
Encrypted:	false
SSDEEP:	3072:YvlianuRlcSIYqz/xGvGUPYG1CCqeC4iHO3+vOoVmfyBOXpIymdSZiytKrJ76D4n:SyFVk/xGvGUdqZ473QL76D
MD5:	B8D15514D5C3C10D6365BC2FC61C8457
SHA1:	2914EE66B261AD081F7F7AB195C77A64650DC78B
SHA-256:	FB34AB3948B9E7334ECC48C8465460AD057A8C9B15CAAFAE30F9C6841AA42989
SHA-512:	29F33FFD2FFAAD1AE648A7FD4BA996EA47A1B5B859E7A68E3EDB49C33BEEBC9035552339560DBEC341F802816BD08AD578967D67EBB8495718860CC58634DAE7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........e....................................<....)..........H).......?..............l.......8...........T...........([..}...........T4..........@6..............................................................................eJ.......6......Lw......................T.......\......e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3811.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6750
Entropy (8bit):	3.7164972070113094
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbTk+YZSYTyizU+YgaM4U089b5S645DWffgTm:R6l7wVeJTk+YZSEDrpr089b5f45EfgTm
MD5:	2386614F7C4607599A3A82921A96DEF8
SHA1:	818C610C2BDA063F6C19B9BD9D003288008B0991
SHA-256:	0D20918100BF4298F938A79E69D944366E8C57B37FE00FB03F55CEE8AD8A56DF
SHA-512:	1B0D3E97673FCF48DA2F8F7FC64F7725BE9DE15776285966D64DFD812A24F04EB33FEDA2204F8F41D6BDCBEE5178015EF6C59776EEEDFF292E779B7797C229FD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3841.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4781
Entropy (8bit):	4.44974310926309
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqNJg771I9+xWpW8VYgYm8M4Jp4b6Fe1yq8vu4bV3MtIKsO9d:uIjfqnI71g7VcJ+JWlp365sO9d
MD5:	F4516723E670D9E5845F7547BE840A0F
SHA1:	24DAE139DC9F85633A827283F2852D199D6F66A9
SHA-256:	F65769DEE72CF8F5B9A485AFB47B7205FB3671EDB251D7728D52099155AFC671
SHA-512:	DCC2614419EFDC6C0037E9A34C8E6441B51E68ECE78978C3C942993355A51CE5C0AC893D832058801BACA25D4832310EC4AEC082FE92E414606AEC6420EEBD7B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="184702" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\NOWAY.png - Copy.jpeg

Process:	C:\Users\user\Desktop\noway-2D8EB.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 238x212, components 3
Category:	dropped
Size (bytes):	6162
Entropy (8bit):	7.927474314229622
Encrypted:	false
SSDEEP:	96:qVqJx1MpULnq2gjgL9+6GY3S37HhGg6p3q6gwp1H9MWP5410NmN6jFx3paF/9OrS:kqBYinQhGFhpPgC99v41JIhx3CRjH
MD5:	EA583528B6382489FADE47166E5F8986
SHA1:	7A77DCD27CD9A868087C761796C629A029E53441
SHA-256:	3DE0EF4A2F9C04483F5BE15F95D0837126A87CC2EAA3112940C07E02B09F9250
SHA-512:	40B5F2703EBBFB2D5EC9F91E058E8BD23958453B920702E937B5786BCCF306942B0B801E52BEF8D88FC94C8BCDE998D294259AD08E01A36959B5553994F92DAD
Malicious:	false
Reputation:	low
Preview:	......JFIF..................................................!.%..+...&8&+/1555.$;@;4?.451...........4'!!44444444444444444444444444444444444444444444411?4?..........."........................................:........................!..1A"Qaq.2....R.B..#3b..r.S..................................."......................!1..."AQ2.............?..SM......6..........2...`\|.o$.yO.......:....=V?..!6.GQ$..$.Xz:.$...(.BHj..,...\|..<v;.{QOS......{..h.X...g.I...y..T.{.0.D..@...R..Yu5.#{G./[.x.......6..........v..myn8.p{r6..J..z./[..(>..h.:.'.I.O/%>.'.....?..Ue=aJ.U........u'.!\y.....<r......d.......yv=%.<...90-}O@.1..a.....7&....dyM{E.T..2.@.......hpY..Je...R.....3..f7...<..p.?.{...H.%F.O9d.....S..a...T...~$..l.@MM<y..aMUwX?...[.y9.T.....G6%.A, ..,.5..$.qc.........*L.....c.j.:S....._."..~..;.[._.o..^mHr.2..eg\."...~N..y.(.....T...I.........sz..TW...\~.#.K?.....j...57oe..#YCV.A....XM^.t..x..S.q.....#.9R..jQ.Q:s..#.`.F.?..o.......~...Ul.";..9..E./^.A.K39.v...G...p.z.

C:\Users\user\Desktop\sussy.exe

Process:	C:\Users\user\Desktop\noway-2D8EB.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	80384
Entropy (8bit):	5.482119607372954
Encrypted:	false
SSDEEP:	1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC
MD5:	B2F30C9372186A8BBA11A3A41CCD9CAE
SHA1:	815C55879AC34EE4B7B08DA7A942B9876F7296B9
SHA-256:	48A06CB0A56C9E5CEFE26B27E90DD8F4956396F3B95C8504759C029D48CE966B
SHA-512:	E4906B1AE2322C8661D1722258F65A8F509FCCF4558D19D89FB74DAFF93D484B33DCD423A4B37479965ABA3A27BC241BE506CCAC9CCEA835EAE43B817D194FE1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DicrordRat, Description: Yara detected Dicrord Rat, Source: C:\Users\user\Desktop\sussy.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................................`...@......@............... ...............................`............................................................................................... ..H............text...80... ...2.................. ..`.rsrc........`.......4..............@..@........................................H...........x.......".....................................................{...."..}....2.(....o....J. . ..}.....(....6.\|.....("...6.\|.....("...6.\|.....(".....(....^.{....{.....{....o7...6.\|.....("...6.\|.....("...2.( ...(....F~&....( ...o...+2~&....o...+2~&....oM...2(I....oJ....~_...r...p.oe...r...p(f...og...(h...(i...(f...og...ob....~u...r...po`...%(v.....R....ow...oc....~u...r...po`...%(v.....ow...oc...6.\|2....("...6.\|6....("...6.\|9....("...6.\|=....("...*6.\|A..

C:\Windows\appcompat\Programs\Amcache.hve