0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2022, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
Size

17.6MB
MD5

225bc0288488af176cb9e9cd870bbed4
SHA1

7a1aa113896bb9665ae2f2253d56e54b11e1797d
SHA256

0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf
SHA512

15e46aa7d5e7f94ad35e5bed5c2039dd10298ee3ca3a52040bbfbeddf670031df3b78ac51d7ee5c39af66d7cb32d7b27266be3071b309abc241287dad1715f3f
SSDEEP

393216:VGsxacUdcfF/WB7cJQdk7iG95yfxOwDatwyRViUWA:VGsic987cJiKNTcxOwOtNRVlT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
3256	pcit.exe
5016	pcit.exe
4964	pcit.exe
1324	pcit.exe
1744	pcit.exe
1504	bbclp.exe
2104	pcit.exe
1064	pcit.exe
1364	pcit.exe
2176	pcit.exe
2664	pcit.exe
2352	pcit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe

Loads dropped DLL 18 IoCs

pid	Process
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
3256	pcit.exe
5016	pcit.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
4964	pcit.exe
1324	pcit.exe
1744	pcit.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
2104	pcit.exe
1064	pcit.exe
1364	pcit.exe
2176	pcit.exe
2664	pcit.exe
2352	pcit.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pclient\pnpmgr.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0014.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\init.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0024.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\INSTALL.LOG	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\pfmcomm.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0018.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0023.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\lps.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\iobios.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\inf\nmfmgr.inf	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\ats.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0022.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\iobios125.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0016.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\LanguageData\~GLH001a.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\BrowseClassInfo\CookiesInfo.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0012.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\blLog.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH000f.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0010.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0011.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0013.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0015.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0017.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\GLBSINST.%$D	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\nmfmgr.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\lpst.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\pfmtransmit.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH000e.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\pfmtask.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\scclient.exe	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\scguardc.exe	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH001c.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\modules\GnacCltMgr.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\inf\nmfmgr_m.inf	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\pcit.exe	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0021.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\devmgr.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\sccltui.exe	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\LanguageData\LanguageTranslate.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\BrowseClassInfo\~GLH001b.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\modules\~GLH001d.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\inf\~GLH001f.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH000d.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\pfmscript.dll	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0019.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\inf\~GLH001e.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH0020.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\ftdump.xml	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\SysWOW64\Pclient\INSTALL.LOG	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Windows\SysWOW64\Pclient\~GLH000c.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GSC\install\PhenixClient.log	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File created	C:\Program Files (x86)\GSC\install\~GLBS383.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\~GLH000b.TMP	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
File opened for modification	C:\Windows\bbclp.exe	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	pcit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	pcit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2104	pcit.exe
2104	pcit.exe
1064	pcit.exe
1064	pcit.exe
1364	pcit.exe
1364	pcit.exe
2176	pcit.exe
2176	pcit.exe
2664	pcit.exe
2664	pcit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	pcit.exe
Token: SeDebugPrivilege	1064	pcit.exe
Token: SeDebugPrivilege	1364	pcit.exe
Token: SeDebugPrivilege	2176	pcit.exe
Token: SeDebugPrivilege	2664	pcit.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3256	pcit.exe
5016	pcit.exe
4964	pcit.exe
1324	pcit.exe
1744	pcit.exe
2104	pcit.exe
1064	pcit.exe
1364	pcit.exe
2176	pcit.exe
2664	pcit.exe
2352	pcit.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3256	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	81
PID 4956 wrote to memory of 3256	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	81
PID 4956 wrote to memory of 3256	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	81
PID 4956 wrote to memory of 5016	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	83
PID 4956 wrote to memory of 5016	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	83
PID 4956 wrote to memory of 5016	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	83
PID 4956 wrote to memory of 4964	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	84
PID 4956 wrote to memory of 4964	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	84
PID 4956 wrote to memory of 4964	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	84
PID 4956 wrote to memory of 1324	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	85
PID 4956 wrote to memory of 1324	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	85
PID 4956 wrote to memory of 1324	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	85
PID 4956 wrote to memory of 1744	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	86
PID 4956 wrote to memory of 1744	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	86
PID 4956 wrote to memory of 1744	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	86
PID 4956 wrote to memory of 1504	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	87
PID 4956 wrote to memory of 1504	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	87
PID 4956 wrote to memory of 1504	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	87
PID 4956 wrote to memory of 2104	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	88
PID 4956 wrote to memory of 2104	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	88
PID 4956 wrote to memory of 2104	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	88
PID 4956 wrote to memory of 1064	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	89
PID 4956 wrote to memory of 1064	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	89
PID 4956 wrote to memory of 1064	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	89
PID 4956 wrote to memory of 1364	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	90
PID 4956 wrote to memory of 1364	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	90
PID 4956 wrote to memory of 1364	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	90
PID 4956 wrote to memory of 2176	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	91
PID 4956 wrote to memory of 2176	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	91
PID 4956 wrote to memory of 2176	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	91
PID 4956 wrote to memory of 2664	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	92
PID 4956 wrote to memory of 2664	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	92
PID 4956 wrote to memory of 2664	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	92
PID 4956 wrote to memory of 2352	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	93
PID 4956 wrote to memory of 2352	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	93
PID 4956 wrote to memory of 2352	4956	0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe	93

C:\Users\Admin\AppData\Local\Temp\0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe
"C:\Users\Admin\AppData\Local\Temp\0499d7df407fe47222db8b2faa8e3ced163ba7282a813a7b3f1982fd6972debf.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4956
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -ChkUsr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3256
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -DelReg "HKEY_LOCAL_MACHINE" "SOFTWARE\Microsoft\Windows\CurrentVersion" "DomainSetup"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -xpe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4964
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -virtual
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -xpe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Windows\bbclp.exe
  "C:\Windows\bbclp.exe"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -k "C:\Windows\System32\Pclient\scguardc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -k "C:\Windows\System32\Pclient\scclient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -k "C:\Windows\System32\Pclient\sccltui.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1364
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -k "C:\Windows\System32\Pclient\Svctrl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -k "C:\Windows\System32\Pclient\Block.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\PHENIX~1\pcit.exe
  "C:\PHENIX~1\pcit.exe" -cltbadpnpdlls 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\PHENIX_CLIENT\setuputl.dll

Filesize
742KB

MD5
34d21b5936b0b226e292c9905a423720

SHA1
32677e6291e51a8392085bbd9b089a8dd6e9e99f

SHA256
b97b687dde340b765fb2c0823a75f880bf38ad08955778c3e68d48fde4d7cef0

SHA512
66dd563c36cd7a0e76c5dd78fdfd3979b7ad18d01d486191e5bfab0b9c1a9e2682fbabc9b8a5da0910d21478f5842b3d103d24a7ca4010fabbddca1f3e822047

Download Submit
C:\PHENIX_CLIENT\setuputl.dll

Filesize
742KB

MD5
34d21b5936b0b226e292c9905a423720

SHA1
32677e6291e51a8392085bbd9b089a8dd6e9e99f

SHA256
b97b687dde340b765fb2c0823a75f880bf38ad08955778c3e68d48fde4d7cef0

SHA512
66dd563c36cd7a0e76c5dd78fdfd3979b7ad18d01d486191e5bfab0b9c1a9e2682fbabc9b8a5da0910d21478f5842b3d103d24a7ca4010fabbddca1f3e822047

Download Submit
C:\PHENIX~1\blLog.dll

Filesize
258KB

MD5
65912adc3edc651f5087e8619e214723

SHA1
d01d724053835071a01b51e3a4b0c5249bfcab5d

SHA256
1bfcf9c9c71b15ad4cdd9b2693556fd8fe92b6dfcbe9f64b620ae7195b694892

SHA512
73ac9aaa64a443c30f053bbd192e07e19339692dcb627ea08f44d35e36a14705c8ee8b071d06c3e263465ff9640ec1029f28ff507336c7cfb98ec7d09e29eef2

Download Submit
C:\PHENIX~1\pcit.exe

Filesize
806KB

MD5
8c6700450e43fcac519167176310252c

SHA1
baee91a0bb20da76b0d4ae5b4e22c68b4e9fec35

SHA256
c0ed9ae250ecda69ff2fdd84c8f668a0f0c0ebda2b15201de8a021d5054fa1ba

SHA512
57e9353de34a311fcdc1a65b4b410ba3877f7cbb68226cd045862ad137679861b7cc41d975f78c22c3d6e25a97fe38e76355d06c29380b6c08dd32d0408acfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC8B2E.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK8B7D.tmp

Filesize
550KB

MD5
b5b71830f2dcdb9d4882af956e7ea366

SHA1
c95b3d5ed67693a30b41d4b8e82f27b04861ffcc

SHA256
55053827191186e6659ee9c15373cfe3b25b6708a79b990e4797c4c4e5d34b61

SHA512
e588f7e55467530617810dacd984fad3c567fbe50ddd774d84174febe60e5e3d612bd45df2f56e42851fe59e7ea650a92451e0545f7641129c23fcdd570bca15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK8B7D.tmp

Filesize
550KB

MD5
b5b71830f2dcdb9d4882af956e7ea366

SHA1
c95b3d5ed67693a30b41d4b8e82f27b04861ffcc

SHA256
55053827191186e6659ee9c15373cfe3b25b6708a79b990e4797c4c4e5d34b61

SHA512
e588f7e55467530617810dacd984fad3c567fbe50ddd774d84174febe60e5e3d612bd45df2f56e42851fe59e7ea650a92451e0545f7641129c23fcdd570bca15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iospc.dll

Filesize
354KB

MD5
f829d66feaf81ec1d9f2d276ef30894c

SHA1
34d019da54c96797faa53623dfd6adc6248f9343

SHA256
7b4076aeafc16098c6eb351e00cdb30a4ae33a4ae596b900361386e9d6cbb2c5

SHA512
be2406136012422caa32756e9bdd34357cafd3fccb62ac378ed2e2641267e283f7e461e6c2fae459a18a78365470bac95f75b5a2f423d57b80db98579bc67835

Download Submit
C:\Users\Admin\AppData\Local\Temp\iospc.dll

Filesize
354KB

MD5
f829d66feaf81ec1d9f2d276ef30894c

SHA1
34d019da54c96797faa53623dfd6adc6248f9343

SHA256
7b4076aeafc16098c6eb351e00cdb30a4ae33a4ae596b900361386e9d6cbb2c5

SHA512
be2406136012422caa32756e9bdd34357cafd3fccb62ac378ed2e2641267e283f7e461e6c2fae459a18a78365470bac95f75b5a2f423d57b80db98579bc67835

Download Submit
C:\Windows\bbclp.exe

Filesize
150KB

MD5
bc0c7eb89e14bc9c4ff4eaf16119b244

SHA1
dc2e89e789c99ab7f31c097b34baa57fbe21af95

SHA256
766c540b11d84279662ccbbff2589a0d63764e37106139e2d3d9c86ecd0ad7a3

SHA512
09029d291b73936c3f9ed19ce173f407f41a4560a23c1f4630dd00e33c1912c25efe8056a0a764be396a4448e59edba34d16179841a29a65a71344963f5e37e4

Download Submit
C:\Windows\bbclp.exe

Filesize
150KB

MD5
bc0c7eb89e14bc9c4ff4eaf16119b244

SHA1
dc2e89e789c99ab7f31c097b34baa57fbe21af95

SHA256
766c540b11d84279662ccbbff2589a0d63764e37106139e2d3d9c86ecd0ad7a3

SHA512
09029d291b73936c3f9ed19ce173f407f41a4560a23c1f4630dd00e33c1912c25efe8056a0a764be396a4448e59edba34d16179841a29a65a71344963f5e37e4

Download Submit
memory/4956-162-0x00000000030B0000-0x0000000003169000-memory.dmp

Filesize
740KB

Download
memory/4956-146-0x00000000030B0000-0x0000000003107000-memory.dmp

Filesize
348KB

Download
memory/4956-135-0x0000000003021000-0x0000000003023000-memory.dmp

Filesize
8KB

Download