42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
Size

1.9MB
MD5

cfc99b9f63979b39e37bbe2a8811b8a8
SHA1

9a2061edb53df5a937b455938185b0cb6aeb46c8
SHA256

42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2
SHA512

8eda0061246dec5d8bcac8b7c27786ed3cdd94b61f5c70bd2d58642b7a8246d23465aea1209d3e2b0ab8e6ebeb3abad6604f5c7fc426edf7bd7d7fabf6f79a84
SSDEEP

49152:lXz+1OvV11rjqdO5tFL16WT53GJAkpeVCmJUn8pOX:lXz+1Ot1lWdocWT52ukmCmCn8pOX

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 29 IoCs

pid	Process
1204	winsys.exe
5020	AntiCheat.exe
4548	winsys.exe
4020	winsys.exe
4412	winsys.exe
3968	AntiCheat.exe
2464	systeme.exe
1420	systeme.exe
912	systeme.exe
5036	systeme.exe
2096	systeme.exe
2704	systeme.exe
844	systeme.exe
1244	systeme.exe
1916	systeme.exe
1260	systeme.exe
404	systeme.exe
4856	systeme.exe
1300	systeme.exe
5096	systeme.exe
1100	systeme.exe
1132	systeme.exe
1280	systeme.exe
2608	systeme.exe
4164	systeme.exe
3680	systeme.exe
2188	systeme.exe
456	systeme.exe
3592	systeme.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsys.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsys.exe"	winsys.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	systeme.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsys.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsys.exe"	systeme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 4412	1204	winsys.exe	85
PID 5020 set thread context of 3968	5020	AntiCheat.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
File opened for modification	C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1204	winsys.exe
1204	winsys.exe
1204	winsys.exe
1204	winsys.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	winsys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	winsys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4412	winsys.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1204	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	81
PID 2140 wrote to memory of 1204	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	81
PID 2140 wrote to memory of 1204	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	81
PID 2140 wrote to memory of 5020	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	82
PID 2140 wrote to memory of 5020	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	82
PID 2140 wrote to memory of 5020	2140	42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe	82
PID 1204 wrote to memory of 4548	1204	winsys.exe	84
PID 1204 wrote to memory of 4548	1204	winsys.exe	84
PID 1204 wrote to memory of 4548	1204	winsys.exe	84
PID 1204 wrote to memory of 4020	1204	winsys.exe	86
PID 1204 wrote to memory of 4020	1204	winsys.exe	86
PID 1204 wrote to memory of 4020	1204	winsys.exe	86
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 1204 wrote to memory of 4412	1204	winsys.exe	85
PID 4412 wrote to memory of 1772	4412	winsys.exe	157
PID 4412 wrote to memory of 1772	4412	winsys.exe	157
PID 4412 wrote to memory of 1772	4412	winsys.exe	157
PID 4412 wrote to memory of 2460	4412	winsys.exe	87
PID 4412 wrote to memory of 2460	4412	winsys.exe	87
PID 4412 wrote to memory of 2460	4412	winsys.exe	87
PID 4412 wrote to memory of 1152	4412	winsys.exe	88
PID 4412 wrote to memory of 1152	4412	winsys.exe	88
PID 4412 wrote to memory of 1152	4412	winsys.exe	88
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 4412 wrote to memory of 2568	4412	winsys.exe	89
PID 4412 wrote to memory of 2568	4412	winsys.exe	89
PID 4412 wrote to memory of 2568	4412	winsys.exe	89
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 4412 wrote to memory of 5084	4412	winsys.exe	119
PID 4412 wrote to memory of 5084	4412	winsys.exe	119
PID 4412 wrote to memory of 5084	4412	winsys.exe	119
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 5020 wrote to memory of 3968	5020	AntiCheat.exe	90
PID 4412 wrote to memory of 2772	4412	winsys.exe	92
PID 4412 wrote to memory of 2772	4412	winsys.exe	92
PID 4412 wrote to memory of 2772	4412	winsys.exe	92
PID 4412 wrote to memory of 3872	4412	winsys.exe	115
PID 4412 wrote to memory of 3872	4412	winsys.exe	115
PID 4412 wrote to memory of 3872	4412	winsys.exe	115
PID 4412 wrote to memory of 4836	4412	winsys.exe	99
PID 4412 wrote to memory of 4836	4412	winsys.exe	99
PID 4412 wrote to memory of 4836	4412	winsys.exe	99
PID 4412 wrote to memory of 4368	4412	winsys.exe	96
PID 4412 wrote to memory of 4368	4412	winsys.exe	96
PID 4412 wrote to memory of 4368	4412	winsys.exe	96
PID 4412 wrote to memory of 820	4412	winsys.exe	97
PID 4412 wrote to memory of 820	4412	winsys.exe	97
PID 4412 wrote to memory of 820	4412	winsys.exe	97
PID 4412 wrote to memory of 1016	4412	winsys.exe	101
PID 4412 wrote to memory of 1016	4412	winsys.exe	101
PID 4412 wrote to memory of 1016	4412	winsys.exe	101

C:\Users\Admin\AppData\Local\Temp\42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe
"C:\Users\Admin\AppData\Local\Temp\42fa5b78b18239d0a0e140352b0052095c529fb2499f9e7b41560222e16d30b2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\winsys.exe
  "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\winsys.exe
    "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\winsys.exe
    "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:2460
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:1152
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:2772
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4368
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:820
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4836
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:1016
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4420
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4356
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4816
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4536
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:380
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:2312
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:3872
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:5084
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:2212
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:3016
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:1236
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:4784
    - - C:\Users\Admin\AppData\Roaming\systeme.exe
        
        systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
        5⤵
        Executes dropped EXE
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c cd C:\Users\Admin\AppData\Roaming & start systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\winsys.exe
    "C:\Users\Admin\AppData\Local\Temp\winsys.exe"
    3⤵
    - Executes dropped EXE
    PID:4020
- C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe
  "C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe
    "C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe"
    3⤵
    - Executes dropped EXE
    PID:3968

C:\Users\Admin\AppData\Roaming\systeme.exe
systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
1⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Roaming\systeme.exe
systeme.exe 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C77696E7379732E657865
1⤵
- Executes dropped EXE
PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Program Files (x86)\sxe\AntiCheat\AntiCheat.exe

Filesize
939KB

MD5
0b0451269c4ec45d866a7f0fdb46e1c3

SHA1
4f9267996a7a4396401f5294631a5dce48bae6bc

SHA256
9fc979ce83fb7df0c71a5112bf6ce848264ad8981951ca688bb06782b59247a6

SHA512
c5e954b375307c9788f22ff9a7dfa4926f3e2804bb997da2b5404b872e2459572c8045d240786a444836e1e269ab3074840f72451f2580ad4755ade319ee8056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AntiCheat.exe.log

Filesize
591B

MD5
5dc9fc02b2d432345b7ca0f21ed4e456

SHA1
628abbeb428782e75ac14a59d40a8f022c77342e

SHA256
78876f8d2ca1b9d1cc00de87a7f2b73529130fc9216117f37be2a51c39fdf100

SHA512
b667da4d218acc64795fe0ef091f48016d7279d2594fb44e654b3725665838353ac639a4828c1fd5fa5ca9012bd91a6287c2b011a225af98cddf80eb27fd2665

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsys.exe

Filesize
795KB

MD5
215c4dd821b8ffc34741b204953420bb

SHA1
13f5e03b0bbbe5b5d8f5d39dbd65a83ba4d38594

SHA256
5fb48b316c9a4fdf4331922144f02e8a73af481578ad48d4ae5adf7531b63648

SHA512
5e0cc7dc49a7d93c415416b57a18b054006e4bfa87cbd404d0ce1c660a7c6dd9da8d55f13d52cf7e34d8d9673b1f58c7e664d4890865f358894eb91a2c5e09a1

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
C:\Users\Admin\AppData\Roaming\systeme.exe

Filesize
46KB

MD5
ecb65e126dfd9a1266bd220a02e08755

SHA1
f1861c1fb1870fbb32e7d61cac97fac90ec54320

SHA256
9e1b97f0ad15a892da4cde66e39d78f0dcf0857ddb18a1df8875b65c926d1585

SHA512
ba77a1a3b9d9ea0e0167fa96dfc7bb5606f02a31d354ca18adfb2673836610e9b35d8656b3ca5121c634c9aaf5151d6bfb8430039902409cd94c2c911f2d640b

Download Submit
memory/1204-151-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/1204-141-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/1204-139-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/3968-229-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/3968-168-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/3968-159-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3968-231-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/4412-228-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4412-150-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4412-152-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4412-147-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4412-149-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5020-140-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/5020-138-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download
memory/5020-164-0x0000000072BC0000-0x0000000073171000-memory.dmp

Filesize
5.7MB

Download