Edit tour

Windows Analysis Report
Andrej Simulator X.exe

Overview

General Information

Sample name:	Andrej Simulator X.exe
Analysis ID:	1640015
MD5:	9cc5ea6b17297d7043204a0e0f89388f
SHA1:	4e2b63ab02bea68e09b2a30cfe748ac6bdc14579
SHA256:	f1dc6095672e9b120665b1c64c752965267795d92888db4d53fbf5351320b0e3
Tags:	exetrojanuser-2huMarisa
Infos:

Detection

Score:	57
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to register a low level keyboard hook

Joe Sandbox ML detected suspicious sample

Sample or dropped binary is a compiled AutoHotkey binary

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries keyboard layouts

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

Andrej Simulator X.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\Andrej Simulator X.exe" MD5: 9CC5EA6B17297D7043204A0E0F89388F)

aaa.exe (PID: 7108 cmdline: C:\Users\user\AppData\Local\Temp\aaa.exe MD5: 5BDA7A403E7F8BE8C8576343E077499B)

kitty.exe (PID: 6284 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 4476 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 7280 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 7356 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 7680 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 7732 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 8104 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 8172 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 7240 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 6704 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 4460 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 572 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 5544 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 2100 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 2696 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 8156 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 6192 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 5604 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 1896 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 3100 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 2668 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 4004 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 5424 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 1260 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 2696 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 1160 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 6576 cmdline: C:\Users\user\AppData\Local\Temp/kitty.exe MD5: 96266EC448AE60CAB541383AC73768EF)

cmd.exe (PID: 6852 cmdline: "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bbb.exe (PID: 7132 cmdline: C:\Users\user\AppData\Local\Temp\bbb.exe MD5: 396CA541EE2C20071F77D26AE030C832)

chrome.exe (PID: 7880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2080,i,2628610554253254953,2625306694296692569,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Andrej Simulator X.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kitty.exe

Avira: detection malicious, Label: HEUR/AGEN.1354393

Multi AV Scanner detection for submitted file

Source: Andrej Simulator X.exe	Virustotal: Detection: 56%			Perma Link
Source: Andrej Simulator X.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: Andrej Simulator X.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 2.19.96.66:443 -> 192.168.2.10:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.24.15.224:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.10:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.10:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.48.70:443 -> 192.168.2.10:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.48.70:443 -> 192.168.2.10:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.210.247.132:443 -> 192.168.2.10:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.12.13.90:443 -> 192.168.2.10:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49918 version: TLS 1.2

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_004774C0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	1_2_004774C0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	1_2_004440A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00456180
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	1_2_00444380
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	1_2_00477430
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	1_2_004446C0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	1_2_00455C10
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	1_2_00472DE0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	1_2_00454FA0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	2_2_004774C0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	2_2_004440A0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00456180
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	2_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_00444380
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	2_2_00477430
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	2_2_004446C0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	2_2_00455C10
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	2_2_00472DE0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	2_2_00454FA0

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.66
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.15.224
Source: unknown	TCP traffic detected without corresponding DNS query: 20.140.56.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.140.56.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.140.56.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.140.56.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.140.56.69

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00454910 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,

0_2_00454910

Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIkqHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMnczgEI4ODOAQjl484BCK/kzgEIyOTOAQjf5M4BCIvlzgEIjuXOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIkqHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMnczgEI4ODOAQjl484BCK/kzgEIyOTOAQjf5M4BCIvlzgEIjuXOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?4a05764af27cf740812fdb9af9b56a52 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: 609d6ccc27cb05c71a1a835bf4542062.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIkqHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMnczgEI4ODOAQjl484BCK/kzgEIyOTOAQjf5M4BCIvlzgEIjuXOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=ba-kf2bTlFF9jrOPYajIY8ZJT0lWz73CBa7c_ryB1BvBuiptLpWGeHZkpn4naiBlwmbZTPgkjoD8e8gZUT2Lb_Sw52Wbp2KNRbfnG2x3BCNgjNKw9tMV7tifhn-FdeG7l8La94ULiXB-jXXHoee_flslwP8Xz1ZFbW6bAwdEgQ5YhJIUYQYfO0hrpqruS65t
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?4845b86a4acfac6a0cd47d56c87e65ce HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: 609d6ccc27cb05c71a1a835bf4542062.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?388d492d43e3e88af2954a457458e0f6 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp-afd.azurefd.usConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?0a2d40dba45076cdbf0d60e37728894d HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp-afd.azurefd.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?df8ec103468120808669298477825546 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp-afd.azurefd.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?e2282454b768654431d43652c1c5dbf6 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp-afd.azureedge.usConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?fb55ac7568e2c552cf95fea4aec959b9 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: 9009a40672fbc56a33f1f2d1614dc6c6.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?5546062bc297d313db25d533ba9c02f1 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: 9009a40672fbc56a33f1f2d1614dc6c6.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?0450217fe17cd5fc9a7e75c4aa47e7be HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: dea24028c20c1d3cceec339d922cbade.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?cf198cafb3318e89ca000a34761099b0 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: dea24028c20c1d3cceec339d922cbade.clo.footprintdns.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com

Source: chromecache_98.65.dr	String found in binary or memory: http://www.broofa.com
Source: chromecache_96.65.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_96.65.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_98.65.dr, chromecache_96.65.dr	String found in binary or memory: https://apis.google.com
Source: bbb.exe, bbb.exe, 00000002.00000002.2983058878.00000000004A1000.00000002.00000001.01000000.00000005.sdmp, bbb.exe, 00000002.00000000.1117084969.00000000004A1000.00000002.00000001.01000000.00000005.sdmp, Andrej Simulator X.exe, bbb.exe.0.dr, aaa.exe.0.dr	String found in binary or memory: https://autohotkey.com
Source: Andrej Simulator X.exe, bbb.exe.0.dr, aaa.exe.0.dr	String found in binary or memory: https://autohotkey.comCould
Source: chromecache_96.65.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_96.65.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_96.65.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_98.65.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_98.65.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_98.65.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_98.65.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_98.65.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_96.65.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_96.65.dr	String found in binary or memory: https://plus.googleapis.com
Source: chromecache_96.65.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_96.65.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_96.65.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_98.65.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_98.65.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_98.65.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 2.19.96.66:443 -> 192.168.2.10:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.24.15.224:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.10:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.10:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.48.70:443 -> 192.168.2.10:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.140.48.70:443 -> 192.168.2.10:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.210.247.132:443 -> 192.168.2.10:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.12.13.90:443 -> 192.168.2.10:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.10:49918 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_004093C0 SetWindowsHookExW 0000000D,Function_00004C10,00400000,00000000

0_2_004093C0

Source: C:\Users\user\AppData\Local\Temp\aaa.exe

Code function: 1_2_004049B0 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

1_2_004049B0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00479570 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,	0_2_00479570
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004046E0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,	0_2_004046E0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00479570 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,	1_2_00479570
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004046E0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,	1_2_004046E0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00479570 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,	2_2_00479570
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004046E0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,	2_2_004046E0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_004048B0 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_004048B0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,

0_2_0043A7A0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00411F90 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_00411F90

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040146B SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,	0_2_0040146B
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040F956 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_0040F956
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040F520 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040F520
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00412DD0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_00412DD0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	1_2_004013F4
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040F520 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	1_2_0040F520
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040F956 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	1_2_0040F956
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00412DD0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	1_2_00412DD0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	2_2_004013F4
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040F520 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	2_2_0040F520
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040F956 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	2_2_0040F956
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00412DD0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	2_2_00412DD0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Window found: window name: AutoHotkey	Jump to behavior

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00440870: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00440870

Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004561F0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_004561F0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\SysWOW64\hal.dll

Jump to behavior

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040C800	0_2_0040C800
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0049B08C	0_2_0049B08C
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040C1E0	0_2_0040C1E0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004999EF	0_2_004999EF
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040DA40	0_2_0040DA40
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00496A05	0_2_00496A05
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00414AC1	0_2_00414AC1
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00414AC0	0_2_00414AC0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00408290	0_2_00408290
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0042F2A0	0_2_0042F2A0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0040F520	0_2_0040F520
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00401DE0	0_2_00401DE0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004195A8	0_2_004195A8
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004925B2	0_2_004925B2
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0041CEB4	0_2_0041CEB4
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00407FC0	0_2_00407FC0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0043A7A0	0_2_0043A7A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004013F4	1_2_004013F4
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0049F010	1_2_0049F010
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0049B08C	1_2_0049B08C
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00460170	1_2_00460170
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040C1E0	1_2_0040C1E0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0049D1F1	1_2_0049D1F1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00448260	1_2_00448260
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0047F260	1_2_0047F260
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00408290	1_2_00408290
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0042F2A0	1_2_0042F2A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00420490	1_2_00420490
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00442570	1_2_00442570
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040F520	1_2_0040F520
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004925B2	1_2_004925B2
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0048E600	1_2_0048E600
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004186B0	1_2_004186B0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00482755	1_2_00482755
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0041C700	1_2_0041C700
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004897EE	1_2_004897EE
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043A7A0	1_2_0043A7A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043F870	1_2_0043F870
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040C800	1_2_0040C800
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0049D8CD	1_2_0049D8CD
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00484970	1_2_00484970
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004829C5	1_2_004829C5
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004999EF	1_2_004999EF
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0040DA40	1_2_0040DA40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00496A05	1_2_00496A05
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00414AC0	1_2_00414AC0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00432DD0	1_2_00432DD0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00401DE0	1_2_00401DE0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00481E4B	1_2_00481E4B
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00499F40	1_2_00499F40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00475F00	1_2_00475F00
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00404F10	1_2_00404F10
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00407FC0	1_2_00407FC0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004013F4	2_2_004013F4
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040F520	2_2_0040F520
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0049F010	2_2_0049F010
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0049B08C	2_2_0049B08C
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00460170	2_2_00460170
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040C1E0	2_2_0040C1E0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0049D1F1	2_2_0049D1F1
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00448260	2_2_00448260
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0047F260	2_2_0047F260
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00408290	2_2_00408290
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0042F2A0	2_2_0042F2A0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00420490	2_2_00420490
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00442570	2_2_00442570
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004925B2	2_2_004925B2
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0048E600	2_2_0048E600
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004186B0	2_2_004186B0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00482755	2_2_00482755
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0041C700	2_2_0041C700
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004897EE	2_2_004897EE
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043A7A0	2_2_0043A7A0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043F870	2_2_0043F870
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040C800	2_2_0040C800
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0049D8CD	2_2_0049D8CD
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00484970	2_2_00484970
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004829C5	2_2_004829C5
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004999EF	2_2_004999EF
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0040DA40	2_2_0040DA40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00496A05	2_2_00496A05
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00414AC0	2_2_00414AC0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00432DD0	2_2_00432DD0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00401DE0	2_2_00401DE0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00481E4B	2_2_00481E4B
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00499F40	2_2_00499F40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00475F00	2_2_00475F00
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00404F10	2_2_00404F10
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00407FC0	2_2_00407FC0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\aaa.exe F95E930591F548867F1193578379B51F760E0FE2881F1300175BF4215AD15900
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\kitty.exe E9766F9A92F93565A82237FF3AD16FAE0CA2A2795B0740911818AFF95010D163

Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 00476750 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 00430930 appears 268 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 0048FF69 appears 346 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 0049B270 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 00430680 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 004948A0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 0049016D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: String function: 004766B0 appears 73 times
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: String function: 00430930 appears 142 times
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: String function: 004766B0 appears 36 times
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: String function: 0048FF69 appears 161 times
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: String function: 00430680 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 00476750 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 00430930 appears 268 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 0048FF69 appears 346 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 0049B270 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 00430680 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 004948A0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 0049016D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: String function: 004766B0 appears 73 times

Source: Andrej Simulator X.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Andrej Simulator X.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Andrej Simulator X.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: Andrej Simulator X.exe	Binary or memory string: OriginalFilename vs Andrej Simulator X.exe
Source: Andrej Simulator X.exe, 00000000.00000000.1114625274.0000000000673000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Andrej Simulator X.exe
Source: Andrej Simulator X.exe, 00000000.00000002.2982992524.000000000059C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Andrej Simulator X.exe
Source: Andrej Simulator X.exe	Binary or memory string: OriginalFilename vs Andrej Simulator X.exe

Source: Andrej Simulator X.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal57.spyw.evad.winEXE@131/18@42/2

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00431620 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_00431620

Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004561F0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_004561F0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00440510 _wcsncpy,GetDiskFreeSpaceExW,

0_2_00440510

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00456400 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

0_2_00456400

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00441610 CoCreateInstance,__fassign,

0_2_00441610

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00478510 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

0_2_00478510

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

File created: C:\Users\user\AppData\Local\Temp\kitty.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: /restart	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: /force	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: /ErrorStdOut	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: A_Args	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: A_Args	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: AutoHotkey	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: AutoHotkey	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: Clipboard	1_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Command line argument: @HI	1_2_00494790
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: /restart	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: /force	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: /ErrorStdOut	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: A_Args	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: A_Args	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: AutoHotkey	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: AutoHotkey	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: Clipboard	2_2_00403D40
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Command line argument: @HI	2_2_00494790

Source: Andrej Simulator X.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\kitty.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Andrej Simulator X.exe	Virustotal: Detection: 56%
Source: Andrej Simulator X.exe	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\Andrej Simulator X.exe "C:\Users\user\Desktop\Andrej Simulator X.exe"
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Process created: C:\Users\user\AppData\Local\Temp\aaa.exe C:\Users\user\AppData\Local\Temp\aaa.exe
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Process created: C:\Users\user\AppData\Local\Temp\bbb.exe C:\Users\user\AppData\Local\Temp\bbb.exe
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2080,i,2628610554253254953,2625306694296692569,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Process created: C:\Users\user\AppData\Local\Temp\aaa.exe C:\Users\user\AppData\Local\Temp\aaa.exe	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Process created: C:\Users\user\AppData\Local\Temp\bbb.exe C:\Users\user\AppData\Local\Temp\bbb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Users\user\AppData\Local\Temp\kitty.exe C:\Users\user\AppData\Local\Temp/kitty.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2080,i,2628610554253254953,2625306694296692569,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Section loaded: kbdsg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Users\user\AppData\Local\Temp\kitty.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Automated click: OK
Source: C:\Windows\SysWOW64\cmd.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Andrej Simulator X.exe

Static file information: File size 2804736 > 1048576

Source: Andrej Simulator X.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1e5c00

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00448010 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,_wcsncpy,_wcsrchr,WideCharToMultiByte,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00448010

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004948E5 push ecx; ret	0_2_004948F8
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0042260D push eax; ret	0_2_00422614
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0042D4D4 push eax; iretd	1_2_0042D4D5
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004948E5 push ecx; ret	1_2_004948F8
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0042D4D4 push eax; iretd	2_2_0042D4D5
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004948E5 push ecx; ret	2_2_004948F8

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	File created: C:\Users\user\AppData\Local\Temp\aaa.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	File created: C:\Users\user\AppData\Local\Temp\kitty.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	File created: C:\Users\user\AppData\Local\Temp\bbb.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0043D800 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	0_2_0043D800
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00453120 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	0_2_00453120
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00477AB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00477AB0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0047A3E0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_0047A3E0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00439490 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	0_2_00439490
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0047A520 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_0047A520
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0046A590 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_0046A590
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_0043A7A0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0043AFB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_0043AFB0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00460170 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	1_2_00460170
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00453120 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	1_2_00453120
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0047A3E0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	1_2_0047A3E0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00463410 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	1_2_00463410
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00439490 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	1_2_00439490
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0047A520 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	1_2_0047A520
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0046A590 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	1_2_0046A590
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	1_2_00466740
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	1_2_00466740
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	1_2_0043A7A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043D800 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	1_2_0043D800
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043C970 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	1_2_0043C970
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00477AB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	1_2_00477AB0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00477B10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	1_2_00477B10
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0043AFB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	1_2_0043AFB0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00460170 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	2_2_00460170
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00453120 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	2_2_00453120
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0047A3E0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	2_2_0047A3E0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00463410 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	2_2_00463410
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00439490 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	2_2_00439490
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0047A520 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	2_2_0047A520
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0046A590 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	2_2_0046A590
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_00466740
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_00466740
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	2_2_0043A7A0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043D800 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	2_2_0043D800
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043C970 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	2_2_0043C970
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00477AB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00477AB0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00477B10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00477B10
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0043AFB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	2_2_0043AFB0

Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Window / User API: threadDelayed 3886			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Window / User API: foregroundWindowGot 1775			Jump to behavior

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	API coverage: 1.8 %
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	API coverage: 2.3 %

Source: C:\Users\user\Desktop\Andrej Simulator X.exe TID: 7084

Thread sleep time: -38860s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bbb.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Thread sleep count: Count: 3886 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00413E50 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 00413F3Fh country: Russian (ru)	0_2_00413E50
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00406F10 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 004070D7h	0_2_00406F10
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00413E50 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 00413F3Fh country: Russian (ru)	1_2_00413E50
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00406F10 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 004070D7h	1_2_00406F10
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00413E50 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 00413F3Fh country: Russian (ru)	2_2_00413E50
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00406F10 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 004070D7h	2_2_00406F10

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_004774C0
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	1_2_004774C0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	1_2_004440A0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00456180
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	1_2_00444380
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	1_2_00477430
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	1_2_004446C0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	1_2_00455C10
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	1_2_00472DE0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	1_2_00454FA0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	2_2_004774C0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	2_2_004440A0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00456180
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	2_2_0042E210
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_00444380
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	2_2_00477430
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	2_2_004446C0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	2_2_00455C10
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	2_2_00472DE0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	2_2_00454FA0

Source: kitty.exe, 00000034.00000003.1654299494.0000000000712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: kitty.exe, 00000037.00000003.1658082032.0000000000603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z^
Source: kitty.exe, 00000010.00000003.1228756881.00000000004DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: kitty.exe, 00000026.00000003.1495945955.000000000074A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: kitty.exe, 0000003A.00000003.1759459274.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

API call chain: ExitProcess graph end node

graph_0-40493

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00411090 GetKeyState,GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

0_2_00411090

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004969F6

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

0_2_00448010

Source: C:\Users\user\AppData\Local\Temp\aaa.exe

Code function: 1_2_0049C88E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_0049C88E

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004969F6
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00493DF5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00493DF5
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00498532 SetUnhandledExceptionFilter,	1_2_00498532
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_004969F6
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00493DF5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00493DF5
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00498532 SetUnhandledExceptionFilter,	2_2_00498532
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004969F6
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00493DF5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00493DF5

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

0_2_00431620

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_004128F0 keybd_event,_malloc,_free,

0_2_004128F0

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00411F90 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_00411F90

Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"
Source: C:\Users\user\AppData\Local\Temp\kitty.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "echo a>%windir%\system32\hal.dll"

Source: Andrej Simulator X.exe, aaa.exe, bbb.exe	Binary or memory string: Program Manager
Source: Andrej Simulator X.exe, aaa.exe, bbb.exe	Binary or memory string: Shell_TrayWnd
Source: Andrej Simulator X.exe, aaa.exe, bbb.exe	Binary or memory string: Progman
Source: aaa.exe.0.dr	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00418117 SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_00418117

Source: C:\Users\user\AppData\Local\Temp\aaa.exe

Code function: 1_2_00445F40 GetComputerNameW,GetUserNameW,

1_2_00445F40

Source: C:\Users\user\Desktop\Andrej Simulator X.exe

Code function: 0_2_00414C41 GetModuleHandleW,GetProcAddress,GetVersionExW,__snwprintf,

0_2_00414C41

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Source: bbb.exe	Binary or memory string: WIN_XP
Source: bbb.exe	Binary or memory string: WIN_VISTA
Source: bbb.exe	Binary or memory string: WIN_7
Source: bbb.exe	Binary or memory string: WIN_8
Source: aaa.exe.0.dr	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.08\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: bbb.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_00417010 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,	0_2_00417010
Source: C:\Users\user\Desktop\Andrej Simulator X.exe	Code function: 0_2_004178B0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	0_2_004178B0
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_00417010 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,	1_2_00417010
Source: C:\Users\user\AppData\Local\Temp\aaa.exe	Code function: 1_2_004178B0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	1_2_004178B0
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_00417010 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,	2_2_00417010
Source: C:\Users\user\AppData\Local\Temp\bbb.exe	Code function: 2_2_004178B0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	2_2_004178B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 DLL Side-Loading	NTDS	24 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Andrej Simulator X.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Andrej Simulator X.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Andrej Simulator X.exe