Windows Analysis Report
Wt3pGldAnr.exe

Overview

General Information

Sample name:	Wt3pGldAnr.exe renamed because original name is a hash value
Original sample name:	0707cfd47743293d37378ee4465baf5c.exe
Analysis ID:	1428524
MD5:	0707cfd47743293d37378ee4465baf5c
SHA1:	3ec3e1da7ca748292eb3d0990a763d58e04ebb09
SHA256:	fb65c9da76587966b0fd53c34119aedd57e771899531146943b79bbb2cc129c3
Tags:	32exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\StartMenuExperienceHos.exe	ReversingLabs: Detection: 15%
Source: C:\ProgramData\StartMenuExperienceHos.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%			Perma Link

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Uses 32bit PE files

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 156.255.0.191:1386

Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA2B1A select,recv,

0_2_00DA2B1A

Source: Wt3pGldAnr.exe	String found in binary or memory: https://zh-hans.ipshu.com/my_info
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zh-hans.ipshu.com/my_infoInternetOpenUrl

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CD43

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00E1250F __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_00E1250F

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349CB0D _memset,Sleep,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,_memmove,wsprintfW,_memset,GlobalUnlock,CloseClipboard,GetKeyState,wsprintfW,lstrlenW,wsprintfW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_0349CB0D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,

0_2_00E222CB

Creates a DirectInput object (often for capturing keystrokes)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349C71F SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_0349C71F

Installs a global mouse hook

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	0_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	0_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_00DB297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061C51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	1_2_0061C51E
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00690863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	1_2_00690863
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_0062688A
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005F297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_005F297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006609E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_006609E6
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006249CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_006249CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	3_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	3_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	3_2_00DB297D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349156A ExitWindowsEx,

0_2_0349156A

Detected potential crypto function

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E3E67D	0_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DEC708	0_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA6F6B	0_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DC91C5	0_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA98A3	0_2_00EA98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A0360	0_2_034A0360
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B21F5	0_2_034B21F5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B643A	0_2_034B643A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B6B16	0_2_034B6B16
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0932	0_2_034B0932
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0DC7	0_2_034B0DC7
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B1165	0_2_034B1165
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0067E67D	1_2_0067E67D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062C708	1_2_0062C708
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E6F6B	1_2_006E6F6B
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006091C5	1_2_006091C5
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E98A3	1_2_006E98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E3E67D	3_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DEC708	3_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA6F6B	3_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DC91C5	3_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA98A3	3_2_00EA98A3

Enables driver privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Load Driver

Jump to behavior

Enables security privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 005E6349 appears 41 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5EB4 appears 112 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E7E appears 48 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E4B appears 388 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DAEC08 appears 42 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349A1C8 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6304 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 034A8AC0 appears 32 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA63B0 appears 62 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6349 appears 82 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E7E appears 96 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E4B appears 784 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349B72C appears 35 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA4EB5 appears 56 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5EB4 appears 235 times

Sample file is different than original file name gathered from version info

Source: Wt3pGldAnr.exe, 00000000.00000000.1662960524.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000000.00000003.1757233623.00000000043CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000003.00000000.1774367678.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe

Uses 32bit PE files

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.spyw.evad.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A244 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,ImpersonateLoggedOnUser,CloseHandle,CloseHandle,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLengthSid,SetTokenInformation,TerminateProcess,AdjustTokenPrivileges,CloseHandle,CloseHandle,CloseHandle,	0_2_0349A244
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A701 AdjustTokenPrivileges,	0_2_0349A701
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B72C OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_0349B72C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B671 LookupPrivilegeValueW,GetLastError,_wprintf,AdjustTokenPrivileges,GetLastError,_wprintf,GetLastError,_wprintf,	0_2_0349B671
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A3FD GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	0_2_0348A3FD
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A1C8 LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0349A1C8
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A520 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0348A520
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348AA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_0348AA41

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349A036 CreateToolhelp32Snapshot,Process32FirstW,__wcsicoll,Process32NextW,FindCloseChangeNotification,

0_2_0349A036

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DBA66C CoInitialize,CoCreateInstance,

0_2_00DBA66C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DAA4D3 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_00DAA4D3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Mutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName

Source: Wt3pGldAnr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File read: C:\Users\user\Desktop\Wt3pGldAnr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe "C:\Users\user\Desktop\Wt3pGldAnr.exe"
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe C:\Users\user\Desktop\Wt3pGldAnr.exe
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: Wt3pGldAnr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Wt3pGldAnr.exe

Static file information: File size 3218944 > 1048576

Source: Wt3pGldAnr.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: Wt3pGldAnr.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x173a00

Source: Wt3pGldAnr.exe

Static PE information: More than 200 imports for USER32.dll

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

PE file contains an invalid checksum

Source: Wt3pGldAnr.exe	Static PE information: real checksum: 0x314ee0 should be: 0x31a429
Source: StartMenuExperienceHos.exe.0.dr	Static PE information: real checksum: 0x314ee0 should be: 0x31a429

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA63F5 push ecx; ret	0_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA5F23 push ecx; ret	0_2_00EA5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A8B05 push ecx; ret	0_2_034A8B18
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A2AF4 push ecx; ret	0_2_034A2B07
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034BA854 push ebp; retf	0_2_034BA858
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E63F5 push ecx; ret	1_2_006E6408
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E5F23 push ecx; ret	1_2_006E5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA63F5 push ecx; ret	3_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA5F23 push ecx; ret	3_2_00EA5F36

Drops PE files

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE2018 IsIconic,	0_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDCD1F IsWindowVisible,IsIconic,	0_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E22E90 IsIconic,PostMessageW,	0_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	0_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	0_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	0_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE1F74 SetForegroundWindow,IsIconic,	0_2_00DE1F74
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00622018 IsIconic,	1_2_00622018
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006622CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	1_2_006622CB
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0060CC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	1_2_0060CC9C
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061CD1F IsWindowVisible,IsIconic,	1_2_0061CD1F
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00662E90 IsIconic,PostMessageW,	1_2_00662E90
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00660FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	1_2_00660FB1
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005E5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	1_2_005E5516
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	1_2_00661D40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00637DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	1_2_00637DE2
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00621F74 SetForegroundWindow,IsIconic,	1_2_00621F74
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE2018 IsIconic,	3_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	3_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDCD1F IsWindowVisible,IsIconic,	3_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E22E90 IsIconic,PostMessageW,	3_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	3_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	3_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	3_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE1F74 SetForegroundWindow,IsIconic,	3_2_00DE1F74

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DBB770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DBB770

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\StartMenuExperienceHos.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 5.4 %
Source: C:\ProgramData\StartMenuExperienceHos.exe	API coverage: 2.9 %
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 2.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 2316	Thread sleep count: 106 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 5448	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00EA9C8B

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: StartMenuExperienceHos.exe, 00000001.00000003.1759281721.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_=b
Source: Wt3pGldAnr.exe, 00000000.00000002.1787519096.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000003.00000003.1775405931.000000000145C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\StartMenuExperienceHos.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00EA47AC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03495A55 CreateWindowExW,GetLastError,OutputDebugStringW,OutputDebugStringW,

0_2_03495A55

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualProtect ?,-00000001,00000104,?

0_2_00EA9C8B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03494CEC _free,_free,GetProcessHeap,HeapFree,

0_2_03494CEC

Enables debug privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EABBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B9E1 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,SetConsoleCtrlHandler,CreateThread,Sleep,CloseHandle,SetUnhandledExceptionFilter,CloseHandle,Sleep,Sleep,Sleep,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,	0_2_0349B9E1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A66AE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_034A66AE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349F3F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0349F3F0
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006E47AC
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006EBBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006EBBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EABBA1

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348A5F4 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_0348A5F4

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_0348A5F4

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		0_2_0348A5F4
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		0_2_0348A5F4

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	0_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	0_2_00DFDD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_034B030B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_034B03B2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_034B0216
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,lstrlenW,lstrlenW,wsprintfW,GetCurrentProcessId,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	0_2_03488189
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_034B0741
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B0705
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B069E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_034B05DE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_034B040D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_034B524D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,	0_2_034A5648
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_034B3515
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_005E7502
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	1_2_0063DD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	3_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	3_2_00DFDD6C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EAEFF7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00EAEFF7

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_034AA394 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_034AA394

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_00DBB770

AV process strings found (often used to terminate AV products)

Source: Wt3pGldAnr.exe	Binary or memory string: acs.exe
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q\KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: kxetray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avcenter.exe
Source: Wt3pGldAnr.exe	Binary or memory string: vsserv.exe
Source: Wt3pGldAnr.exe	Binary or memory string: KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: cfp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Safe.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: rtvscan.exe
Source: Wt3pGldAnr.exe	Binary or memory string: TMBMSRV.exe
Source: Wt3pGldAnr.exe	Binary or memory string: ashDisp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avgwdsvc.exe
Source: Wt3pGldAnr.exe	Binary or memory string: AYAgent.aye
Source: Wt3pGldAnr.exe	Binary or memory string: QUHLPSVC.EXE
Source: Wt3pGldAnr.exe	Binary or memory string: RavMonD.exe
Source: Wt3pGldAnr.exe	Binary or memory string: Mcshield.exe
Source: Wt3pGldAnr.exe	Binary or memory string: K7TSecurity.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.255.0.191	unknown	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	false

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\StartMenuExperienceHos.exe	ReversingLabs: Detection: 15%
Source: C:\ProgramData\StartMenuExperienceHos.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%			Perma Link

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Uses 32bit PE files

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 156.255.0.191:1386

Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA2B1A select,recv,

0_2_00DA2B1A

Source: Wt3pGldAnr.exe	String found in binary or memory: https://zh-hans.ipshu.com/my_info
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zh-hans.ipshu.com/my_infoInternetOpenUrl

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CD43

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00E1250F __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_00E1250F

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_0349CB0D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_00E222CB

Creates a DirectInput object (often for capturing keystrokes)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349C71F SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_0349C71F

Installs a global mouse hook

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	0_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	0_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_00DB297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061C51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	1_2_0061C51E
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00690863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	1_2_00690863
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_0062688A
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005F297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_005F297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006609E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_006609E6
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006249CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_006249CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	3_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	3_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	3_2_00DB297D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349156A ExitWindowsEx,

0_2_0349156A

Detected potential crypto function

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E3E67D	0_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DEC708	0_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA6F6B	0_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DC91C5	0_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA98A3	0_2_00EA98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A0360	0_2_034A0360
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B21F5	0_2_034B21F5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B643A	0_2_034B643A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B6B16	0_2_034B6B16
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0932	0_2_034B0932
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0DC7	0_2_034B0DC7
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B1165	0_2_034B1165
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0067E67D	1_2_0067E67D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062C708	1_2_0062C708
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E6F6B	1_2_006E6F6B
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006091C5	1_2_006091C5
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E98A3	1_2_006E98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E3E67D	3_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DEC708	3_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA6F6B	3_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DC91C5	3_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA98A3	3_2_00EA98A3

Enables driver privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Load Driver

Jump to behavior

Enables security privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 005E6349 appears 41 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5EB4 appears 112 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E7E appears 48 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E4B appears 388 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DAEC08 appears 42 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349A1C8 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6304 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 034A8AC0 appears 32 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA63B0 appears 62 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6349 appears 82 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E7E appears 96 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E4B appears 784 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349B72C appears 35 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA4EB5 appears 56 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5EB4 appears 235 times

Sample file is different than original file name gathered from version info

Source: Wt3pGldAnr.exe, 00000000.00000000.1662960524.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000000.00000003.1757233623.00000000043CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000003.00000000.1774367678.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe

Uses 32bit PE files

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.spyw.evad.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A244 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,ImpersonateLoggedOnUser,CloseHandle,CloseHandle,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLengthSid,SetTokenInformation,TerminateProcess,AdjustTokenPrivileges,CloseHandle,CloseHandle,CloseHandle,	0_2_0349A244
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A701 AdjustTokenPrivileges,	0_2_0349A701
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B72C OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_0349B72C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B671 LookupPrivilegeValueW,GetLastError,_wprintf,AdjustTokenPrivileges,GetLastError,_wprintf,GetLastError,_wprintf,	0_2_0349B671
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A3FD GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	0_2_0348A3FD
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A1C8 LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0349A1C8
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A520 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0348A520
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348AA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_0348AA41

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349A036 CreateToolhelp32Snapshot,Process32FirstW,__wcsicoll,Process32NextW,FindCloseChangeNotification,

0_2_0349A036

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DBA66C CoInitialize,CoCreateInstance,

0_2_00DBA66C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DAA4D3 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_00DAA4D3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Mutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName

Source: Wt3pGldAnr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File read: C:\Users\user\Desktop\Wt3pGldAnr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe "C:\Users\user\Desktop\Wt3pGldAnr.exe"
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe C:\Users\user\Desktop\Wt3pGldAnr.exe
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: Wt3pGldAnr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Wt3pGldAnr.exe

Static file information: File size 3218944 > 1048576

Source: Wt3pGldAnr.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: Wt3pGldAnr.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x173a00

Source: Wt3pGldAnr.exe

Static PE information: More than 200 imports for USER32.dll

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

PE file contains an invalid checksum

Source: Wt3pGldAnr.exe	Static PE information: real checksum: 0x314ee0 should be: 0x31a429
Source: StartMenuExperienceHos.exe.0.dr	Static PE information: real checksum: 0x314ee0 should be: 0x31a429

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA63F5 push ecx; ret	0_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA5F23 push ecx; ret	0_2_00EA5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A8B05 push ecx; ret	0_2_034A8B18
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A2AF4 push ecx; ret	0_2_034A2B07
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034BA854 push ebp; retf	0_2_034BA858
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E63F5 push ecx; ret	1_2_006E6408
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E5F23 push ecx; ret	1_2_006E5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA63F5 push ecx; ret	3_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA5F23 push ecx; ret	3_2_00EA5F36

Drops PE files

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE2018 IsIconic,	0_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDCD1F IsWindowVisible,IsIconic,	0_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E22E90 IsIconic,PostMessageW,	0_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	0_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	0_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	0_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE1F74 SetForegroundWindow,IsIconic,	0_2_00DE1F74
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00622018 IsIconic,	1_2_00622018
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006622CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	1_2_006622CB
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0060CC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	1_2_0060CC9C
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061CD1F IsWindowVisible,IsIconic,	1_2_0061CD1F
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00662E90 IsIconic,PostMessageW,	1_2_00662E90
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00660FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	1_2_00660FB1
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005E5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	1_2_005E5516
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	1_2_00661D40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00637DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	1_2_00637DE2
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00621F74 SetForegroundWindow,IsIconic,	1_2_00621F74
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE2018 IsIconic,	3_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	3_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDCD1F IsWindowVisible,IsIconic,	3_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E22E90 IsIconic,PostMessageW,	3_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	3_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	3_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	3_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE1F74 SetForegroundWindow,IsIconic,	3_2_00DE1F74

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_00DBB770

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\StartMenuExperienceHos.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 5.4 %
Source: C:\ProgramData\StartMenuExperienceHos.exe	API coverage: 2.9 %
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 2.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 2316	Thread sleep count: 106 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 5448	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00EA9C8B

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: StartMenuExperienceHos.exe, 00000001.00000003.1759281721.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_=b
Source: Wt3pGldAnr.exe, 00000000.00000002.1787519096.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000003.00000003.1775405931.000000000145C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\StartMenuExperienceHos.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00EA47AC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03495A55 CreateWindowExW,GetLastError,OutputDebugStringW,OutputDebugStringW,

0_2_03495A55

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualProtect ?,-00000001,00000104,?

0_2_00EA9C8B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03494CEC _free,_free,GetProcessHeap,HeapFree,

0_2_03494CEC

Enables debug privileges

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EABBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B9E1 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,SetConsoleCtrlHandler,CreateThread,Sleep,CloseHandle,SetUnhandledExceptionFilter,CloseHandle,Sleep,Sleep,Sleep,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,	0_2_0349B9E1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A66AE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_034A66AE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349F3F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0349F3F0
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006E47AC
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006EBBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006EBBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EABBA1

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_0348A5F4

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_0348A5F4

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		0_2_0348A5F4
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		0_2_0348A5F4

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	0_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	0_2_00DFDD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_034B030B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_034B03B2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_034B0216
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,lstrlenW,lstrlenW,wsprintfW,GetCurrentProcessId,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	0_2_03488189
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_034B0741
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B0705
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B069E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_034B05DE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_034B040D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_034B524D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,	0_2_034A5648
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_034B3515
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_005E7502
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	1_2_0063DD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	3_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	3_2_00DFDD6C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EAEFF7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00EAEFF7

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_034AA394

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_00DBB770

AV process strings found (often used to terminate AV products)

Source: Wt3pGldAnr.exe	Binary or memory string: acs.exe
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q\KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: kxetray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avcenter.exe
Source: Wt3pGldAnr.exe	Binary or memory string: vsserv.exe
Source: Wt3pGldAnr.exe	Binary or memory string: KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: cfp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Safe.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: rtvscan.exe
Source: Wt3pGldAnr.exe	Binary or memory string: TMBMSRV.exe
Source: Wt3pGldAnr.exe	Binary or memory string: ashDisp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avgwdsvc.exe
Source: Wt3pGldAnr.exe	Binary or memory string: AYAgent.aye
Source: Wt3pGldAnr.exe	Binary or memory string: QUHLPSVC.EXE
Source: Wt3pGldAnr.exe	Binary or memory string: RavMonD.exe
Source: Wt3pGldAnr.exe	Binary or memory string: Mcshield.exe
Source: Wt3pGldAnr.exe	Binary or memory string: K7TSecurity.exe

ID:	1428524
Product:	CloudBasic
Start time:	05:58:09
Start date:	19.04.2024
Sample:	Wt3pGldAnr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0707cfd47743293d37378ee4465baf5c
SHA1:	3ec3e1da7ca748292eb3d0990a763d58e04ebb09
SHA256:	fb65c9da76587966b0fd53c34119aedd57e771899531146943b79bbb2cc129c3
Filetype:	Win32 Executable (generic) a (10002005/4) 98.81%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\StartMenuExperienceHos.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0707CFD47743293D37378EE4465BAF5C	3EC3E1DA7CA748292EB3D0990A763D58E04EBB09	FB65C9DA76587966B0FD53C34119AEDD57E771899531146943B79BBB2CC129C3
C:\ProgramData\StartMenuExperienceHos.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
Wt3pGldAnr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report Wt3pGldAnr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
Wt3pGldAnr.exe