URL:

https://kittiescraftsmp.com/

Full analysis: https://app.any.run/tasks/9c9c9c92-aea2-4023-98dd-c5251738e03f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 17, 2026, 14:21:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
qrcode
anti-evasion
arch-doc
stealer
python
generic
nodejs
Indicators:
MD5:

2726052F7AE447A98541BF5E3D4D6151

SHA1:

75C192C0CDBBC10C5B69E1236F1BB876B575097D

SHA256:

45F2712D48B50FBA0269D124F065A0F7F79FA2C99F3541EBCF70E6540A76A929

SSDEEP:

3:N8J3Msqd:2SZd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8772)

    • Changes the autorun value in the registry

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)

    • Changes Windows Defender settings

      • KittiesLauncher.exe (PID: 8908)

    • Adds process to the Windows Defender exclusion list

      • KittiesLauncher.exe (PID: 8908)

    • Changes powershell execution policy (Bypass)

      • KittiesLauncher.exe (PID: 8908)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 7896)
      • cmd.exe (PID: 1868)

    • Steals Discord credentials and data (YARA)

      • KittiesLauncher.exe (PID: 8760)

    • Get Monitor Information (POWERSHELL)

      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 3172)

    • Actions looks like stealing of personal data

      • KittiesLauncher.exe (PID: 8760)

    • Steals credentials from Web Browsers

      • KittiesLauncher.exe (PID: 8760)
      • Extractor.exe (PID: 3156)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • KittiesLauncher.exe (PID: 8908)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 8960)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 3580)
      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 7924)

    • Script adds exclusion process to Windows Defender

      • KittiesLauncher.exe (PID: 8908)

    • The process creates files with name similar to system file names

      • KittiesLauncher.exe (PID: 8908)

    • Starts POWERSHELL.EXE for commands execution

      • KittiesLauncher.exe (PID: 8908)
      • cmd.exe (PID: 9080)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 5564)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Drops 7-zip archiver for unpacking

      • KittiesLauncher.exe (PID: 8908)

    • Executable content was dropped or overwritten

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)
      • Extractor.exe (PID: 1352)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • KittiesLauncher.exe (PID: 8908)

    • The process bypasses the loading of PowerShell profile settings

      • KittiesLauncher.exe (PID: 8908)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 8476)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 7276)
      • cmd.exe (PID: 1868)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 8476)
      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 3536)
      • cmd.exe (PID: 8972)
      • cmd.exe (PID: 9080)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 9156)
      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 7276)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 8120)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 5564)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 4564)
      • cmd.exe (PID: 1280)
      • cmd.exe (PID: 4280)
      • cmd.exe (PID: 4384)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 8476)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 8972)
      • cmd.exe (PID: 3536)
      • cmd.exe (PID: 9156)
      • cmd.exe (PID: 9080)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 7276)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 8120)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 5564)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 4564)
      • cmd.exe (PID: 1280)
      • cmd.exe (PID: 4280)
      • cmd.exe (PID: 4384)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 8476)
      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 3536)
      • cmd.exe (PID: 8972)
      • cmd.exe (PID: 9156)
      • cmd.exe (PID: 9080)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 7276)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 8220)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 8120)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 4124)
      • cmd.exe (PID: 5564)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 4564)
      • cmd.exe (PID: 1280)
      • cmd.exe (PID: 4280)
      • cmd.exe (PID: 4384)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Checks VM related registry

      • cmd.exe (PID: 8132)
      • reg.exe (PID: 7184)
      • reg.exe (PID: 7556)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 3536)
      • reg.exe (PID: 7792)
      • reg.exe (PID: 2136)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 4124)
      • reg.exe (PID: 8396)
      • cmd.exe (PID: 8168)
      • reg.exe (PID: 7412)
      • cmd.exe (PID: 8220)
      • reg.exe (PID: 9080)
      • cmd.exe (PID: 8120)
      • reg.exe (PID: 8744)

    • Application launched itself

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)
      • Extractor.exe (PID: 1352)

    • Uses REG/REGEDIT.EXE to modify or delete registry entries

      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 8168)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 9156)
      • cmd.exe (PID: 2308)

    • The process checks if it is being run in the virtual environment

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7460)
      • WMIC.exe (PID: 8812)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 4564)

    • Uses WMIC.EXE to obtain temperature sensor information

      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 1280)

    • Uses WMIC.EXE

      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4280)

    • Get information on the list of running processes

      • KittiesLauncher.exe (PID: 8760)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4384)
      • KittiesLauncher.exe (PID: 8908)

    • Possible stealing from browsers

      • KittiesLauncher.exe (PID: 8760)
      • Extractor.exe (PID: 3156)

    • Process drops python dynamic module

      • Extractor.exe (PID: 1352)

    • The process drops C-runtime libraries

      • Extractor.exe (PID: 1352)

    • Loads Python modules

      • Extractor.exe (PID: 3156)

    • Possible stealing from crypto wallets

      • KittiesLauncher.exe (PID: 8760)

    • Loads DLL from Mozilla Firefox

      • KittiesLauncher.exe (PID: 8760)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 7896)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3580)
      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 7924)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 8152)
      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8296)

    • Checks supported languages

      • identity_helper.exe (PID: 8152)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 5444)
      • KittiesLauncher.exe (PID: 5848)
      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8296)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8784)
      • KittiesLauncher.exe (PID: 8912)
      • KittiesLauncher.exe (PID: 8204)
      • KittiesLauncher.exe (PID: 4480)
      • Extractor.exe (PID: 1352)
      • Extractor.exe (PID: 3156)

    • Manual execution by a user

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8788)
      • KittiesLauncher.exe (PID: 9000)
      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 9160)

    • Application launched itself

      • msedge.exe (PID: 7704)

    • Reads the computer name

      • identity_helper.exe (PID: 8152)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 5848)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8784)
      • KittiesLauncher.exe (PID: 8204)
      • Extractor.exe (PID: 1352)
      • Extractor.exe (PID: 3156)

    • The sample compiled with english language support

      • KittiesLauncher.exe (PID: 8908)
      • Extractor.exe (PID: 1352)

    • Create files in a temporary directory

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)
      • Extractor.exe (PID: 1352)
      • Extractor.exe (PID: 3156)
      • KittiesLauncher.exe (PID: 8908)

    • Launching a file from a Registry key

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)

    • Gets the execution policy for the powershell session

      • KittiesLauncher.exe (PID: 8908)

    • Context menu (right-click) prevention is present

      • msedge.exe (PID: 7704)

    • Reads security settings of Internet Explorer

      • KittiesLauncher.exe (PID: 8908)
      • WMIC.exe (PID: 4128)
      • WMIC.exe (PID: 7796)
      • WMIC.exe (PID: 7460)
      • WMIC.exe (PID: 6752)
      • WMIC.exe (PID: 7424)
      • WMIC.exe (PID: 8952)
      • WMIC.exe (PID: 8356)
      • WMIC.exe (PID: 7288)
      • WMIC.exe (PID: 8812)
      • WMIC.exe (PID: 4684)
      • WMIC.exe (PID: 6044)
      • WMIC.exe (PID: 8328)

    • There is functionality for taking screenshot (YARA)

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 5444)

    • Creates files or folders in the user directory

      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8784)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8204)

    • Creates a software uninstall entry

      • KittiesLauncher.exe (PID: 8908)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 8960)
      • powershell.exe (PID: 2996)

    • Process checks computer location settings

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8296)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 4480)

    • Reads product name

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)
      • KittiesLauncher.exe (PID: 8296)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8772)
      • powershell.exe (PID: 7428)
      • powershell.exe (PID: 7452)
      • powershell.exe (PID: 7152)
      • powershell.exe (PID: 7824)

    • Reads CPU info

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)

    • Reads the machine GUID from the registry

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 8908)

    • Node.js compiler has been detected

      • KittiesLauncher.exe (PID: 8760)
      • KittiesLauncher.exe (PID: 5444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
305
Monitored processes
157
Malicious processes
6
Suspicious processes
15

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs kittieslauncher.exe no specs kittieslauncher.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs kittieslauncher.exe no specs msedge.exe no specs kittieslauncher.exe kittieslauncher.exe no specs kittieslauncher.exe no specs kittieslauncher.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs kittieslauncher.exe no specs kittieslauncher.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs kittieslauncher.exe kittieslauncher.exe no specs kittieslauncher.exe no specs kittieslauncher.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs extractor.exe extractor.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4852,i,1723749175838966128,14916747865658089833,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4932 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6384,i,1723749175838966128,14916747865658089833,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280C:\WINDOWS\system32\cmd.exe /d /s /c "wmic /namespace:\\root\wmi PATH MsAcpi_ThermalZoneTemperature get CurrentTemperature"C:\Windows\System32\cmd.exeKittiesLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147749900
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1284"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5500,i,1723749175838966128,14916747865658089833,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352C:\WINDOWS\system32\cmd.exe /d /s /c "wmic bios get serialnumber"C:\Windows\System32\cmd.exeKittiesLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1352"C:\Program Files\KittiesLauncher\resources\lib\Extractor.exe"C:\Program Files\KittiesLauncher\resources\lib\Extractor.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\kittieslauncher\resources\lib\extractor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
99 401
Read events
99 323
Write events
23
Delete events
55

Modification events

(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\KittiesSetup.zip
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8908) KittiesLauncher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\e840f841-dc9b-583b-8a4d-254f9530ae29
Operation:writeName:InstallLocation
Value:
C:\Program Files\KittiesLauncher
(PID) Process:(8908) KittiesLauncher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\e840f841-dc9b-583b-8a4d-254f9530ae29
Operation:writeName:KeepShortcuts
Value:
true
Executable files
110
Suspicious files
271
Text files
1 026
Unknown types
10

Dropped files

PID
Process
Filename
Type
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfd1d.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdfd2d.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdfd2d.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfd2d.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdfd5c.TMP
MD5:
SHA256:
7704msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
99
TCP/UDP connections
88
DNS requests
89
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7728
msedge.exe
GET
301
23.207.210.143:443
https://img1.wsimg.com/traffic-assets/js/tccl.min.js
NL
unknown
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
312 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
7728
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:Flpd0ZwI5z_ybVZgM1LAvYGo3zRgFgabmLDclUrEO3A&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
101 b
whitelisted
7728
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7728
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
132 b
whitelisted
7728
msedge.exe
GET
301
23.207.210.143:443
https://img1.wsimg.com/traffic-assets/js/tccl.min.js
NL
unknown
7728
msedge.exe
GET
200
188.114.96.3:443
https://kittiescraftsmp.com/images/logo.png
US
image
9.15 Kb
unknown
7728
msedge.exe
GET
200
150.171.109.193:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
7728
msedge.exe
GET
200
104.17.24.14:443
https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.css
US
text
70.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4872
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.241.223:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.66.2.5:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7728
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7728
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.65
whitelisted
www.bing.com
  • 2.16.241.223
  • 2.16.241.222
  • 2.16.241.218
  • 2.16.241.205
  • 2.16.241.221
  • 2.16.241.206
  • 2.16.241.207
  • 2.16.241.201
  • 2.16.241.219
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
google.com
  • 142.251.208.174
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
kittiescraftsmp.com
  • 188.114.96.3
  • 188.114.97.3
unknown
api.edgeoffer.microsoft.com
  • 150.171.109.193
whitelisted

Threats

PID
Process
Class
Message
7728
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7728
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7728
msedge.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7728
msedge.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7728
msedge.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7728
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7728
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7728
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7728
msedge.exe
Misc activity
ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
7728
msedge.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] HTTP request to Discord API via webhook
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://kittiescraftsmp.com/