Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1x8dps1cjk
Target UNBANSEVER.exe
SHA256 d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b

Threat Level: Known bad

The file UNBANSEVER.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:02

Reported

2024-10-29 22:03

Platform

win10ltsc2021-20241023-en

Max time kernel

30s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SecurityHealthSystray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe
PID 1296 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe
PID 1296 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1296 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1616 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe C:\ProgramData\UNBANSEVER.exe
PID 1616 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe C:\ProgramData\UNBANSEVER.exe
PID 1616 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe C:\ProgramData\SecurityHealthSystray.exe
PID 1616 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe C:\ProgramData\SecurityHealthSystray.exe
PID 1968 wrote to memory of 2164 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2164 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2164 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 4984 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 4984 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4984 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 2372 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2372 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2372 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 2108 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2108 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2108 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 1852 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 1852 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1852 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 2636 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2636 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2636 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 4720 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 4720 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 4720 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4720 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 456 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 456 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 456 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 456 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 2132 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2132 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2132 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 900 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 900 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 900 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 900 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 2512 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2512 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 3924 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 3924 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 3924 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3924 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 4528 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 4528 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 4528 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4528 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1968 wrote to memory of 4596 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 4596 N/A C:\ProgramData\UNBANSEVER.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4596 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe

"C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"

C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe

"C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\UNBANSEVER.exe

"C:\ProgramData\UNBANSEVER.exe"

C:\ProgramData\SecurityHealthSystray.exe

"C:\ProgramData\SecurityHealthSystray.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im RiotClienServices.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im RiotClienServices.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im vgtray.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im vgtray.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumperClient.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiddlerEverywhere.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im de4dot.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Cheat Engine.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTP Debugger Windows Service (32 bit).exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x64dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x32dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 172.202.163.200:443 tcp

Files

memory/1296-0-0x00007FF807763000-0x00007FF807765000-memory.dmp

memory/1296-1-0x0000000000EA0000-0x0000000000F64000-memory.dmp

C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe

MD5 ed22ee40a790a5153cd085e9dbd7391f
SHA1 f4e4d5723b2402c9a1c972b2c40ce2311d10171e
SHA256 a4504aa12e11ba425fca91830b3bed4834dd44109a01d5ff8c75e110a482fcc5
SHA512 5cb1b65f1c7861f89f09fb35b0a3ce189f4ded76c952b60f4a5fdb7f6abca3268fa768a6576ff9f09d106e6ed0ba4391ddd9aabc684b7e3101f0fd64cdbcd5a3

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/1616-32-0x0000000000E20000-0x0000000000ED0000-memory.dmp

memory/4520-30-0x0000000000F70000-0x0000000000F88000-memory.dmp

memory/1616-34-0x00007FF807760000-0x00007FF808222000-memory.dmp

C:\ProgramData\UNBANSEVER.exe

MD5 6c08ba3b33673a7979167a6138a42544
SHA1 a065fa0d2d8d1d82dbb6cd1e1b3c8be2a09c74d1
SHA256 bed8d059ed403a6ff674aee820d5b3b0df4e072d1e86d09af8b55703abe31038
SHA512 69ea45439d6a965758fe8e8bbe05f6d247231e72d98e7396a77f6958636b968eb43742dcc4a1be4a9f05e67a0b2c526c16e27b7e7c64ce8fafed7531d180c03e

C:\ProgramData\SecurityHealthSystray.exe

MD5 08cc682417292fe4a048e5e466b13a1b
SHA1 bd2feb697b639327de8eb67e6ac4957df8f3b7b3
SHA256 38182c14bb826f357f1348df2affc840df3173054347b4883b0e3ae18402448c
SHA512 f5c5c49e9d652bdc3d89912880c2eefa80cce28fc3ecb7e3bb267969bd6dc79a5c8e218c307c869df2e63c50bb97a37813e47c6a87170c83a1bae4f9bf538267

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UNBANSEVER.exe.log

MD5 11c6e74f0561678d2cf7fc075a6cc00c
SHA1 535ee79ba978554abcb98c566235805e7ea18490
SHA256 d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA512 32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

memory/4520-56-0x00007FF807760000-0x00007FF808222000-memory.dmp

memory/2556-60-0x00000000008A0000-0x00000000008C2000-memory.dmp

memory/1616-61-0x00007FF807760000-0x00007FF808222000-memory.dmp

memory/4520-63-0x00007FF807760000-0x00007FF808222000-memory.dmp