Malware Analysis Report

2025-08-05 12:32

Sample ID 230501-yxzqfsac3v
Target Servjjjer.exe.bin
SHA256 6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7
Tags
asyncrat redline stormkitty default infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7

Threat Level: Known bad

The file Servjjjer.exe.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat redline stormkitty default infostealer rat spyware stealer

RedLine

StormKitty payload

AsyncRat

Asyncrat family

Async RAT payload

Stormkitty family

Detects Redline Stealer samples

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Looks up geolocation information via web service

Looks up external IP address via web service

Drops desktop.ini file(s)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:10

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:10

Reported

2023-05-01 20:15

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"

Signatures

AsyncRat

rat asyncrat

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4916 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4916 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4916 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4916 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4916 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4916 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4916 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4916 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1632 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1632 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe

"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
IN 40.126.17.133:443 tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 218.25.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 97.85.19.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 139.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/4088-133-0x0000000000FC0000-0x0000000000FF2000-memory.dmp

memory/4088-134-0x0000000005940000-0x0000000005950000-memory.dmp

memory/4088-135-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/4088-136-0x0000000005940000-0x0000000005950000-memory.dmp

C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\283db8aab9978c482b6b34ce9843e6b5\Admin@OZADSVWH_en-US\System\Process.txt

MD5 621a97cca6d51929c81dc3b196ee34d8
SHA1 8ce17dd0017befa83533ef00c165ea3796a72beb
SHA256 ce21dc62e1c292a805a543e0641badca7cf5ec143ba4633723ff88940224f415
SHA512 bc27e3f4032ea61de30f31104ab6673e4389a84673f926faa84e6a98afa2871f7bcdfdc55f92c25d55f638da14cfe329d2e43a727a51be9040e72a8f8a9b9275

memory/4088-271-0x00000000063C0000-0x0000000006452000-memory.dmp

memory/4088-272-0x0000000007040000-0x00000000075E4000-memory.dmp

memory/4088-273-0x0000000005940000-0x0000000005950000-memory.dmp

memory/4088-277-0x00000000064B0000-0x00000000064BA000-memory.dmp

C:\Users\Admin\AppData\Local\228814d66cd77b02b66fe83b7cd036e4\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4088-283-0x0000000005940000-0x0000000005950000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:10

Reported

2023-05-01 20:15

Platform

win7-20230220-en

Max time kernel

143s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1216 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1216 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1216 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1216 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1216 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1216 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1216 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1360 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1360 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1360 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1360 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1360 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1360 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1360 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe

"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 104.21.44.66:443 api.mylnikov.org tcp

Files

memory/2032-54-0x0000000000ED0000-0x0000000000F02000-memory.dmp

memory/2032-55-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/2032-56-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/2032-124-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/2032-128-0x0000000004B80000-0x0000000004BC0000-memory.dmp