Overview
overview
9Static
static
9Spoof Inst...ew.chm
windows7-x64
1Spoof Inst...ew.chm
windows10-2004-x64
1Spoof Inst...ew.exe
windows7-x64
6Spoof Inst...ew.exe
windows10-2004-x64
6Spoof Inst...pt.ps1
windows7-x64
3Spoof Inst...pt.ps1
windows10-2004-x64
3Spoof Inst...ID.cmd
windows7-x64
1Spoof Inst...ID.cmd
windows10-2004-x64
1Spoof Inst...id.exe
windows7-x64
3Spoof Inst...id.exe
windows10-2004-x64
3Spoof Inst...64.exe
windows7-x64
1Spoof Inst...64.exe
windows10-2004-x64
1Spoof Inst...me.bat
windows7-x64
3Spoof Inst...me.bat
windows10-2004-x64
7Spoof Inst...sk.exe
windows7-x64
5Spoof Inst...sk.exe
windows10-2004-x64
5Spoof Inst...ch.exe
windows7-x64
7Spoof Inst...ch.exe
windows10-2004-x64
7Spoof Inst...gs.vbs
windows7-x64
3Spoof Inst...gs.vbs
windows10-2004-x64
1Spoof Inst...ol.exe
windows7-x64
7Spoof Inst...ol.exe
windows10-2004-x64
7Spoof Inst...he.bat
windows7-x64
1Spoof Inst...he.bat
windows10-2004-x64
1Spoof Inst...or.url
windows7-x64
1Spoof Inst...or.url
windows10-2004-x64
1Spoof Inst...on.bat
windows7-x64
8Spoof Inst...on.bat
windows10-2004-x64
8Spoof Inst...er.exe
windows7-x64
6Spoof Inst...er.exe
windows10-2004-x64
6Spoof Inst...le.exe
windows7-x64
6Spoof Inst...le.exe
windows10-2004-x64
6Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 21:28
Behavioral task
behavioral1
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Spoof Instructions/Spoof Toolz/OtherIDs/USBDeview.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
Spoof Instructions/Spoof Toolz/Reg_Script.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Spoof Instructions/Spoof Toolz/VolChange/ChangeVolID.cmd
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Spoof Instructions/Spoof Toolz/VolChange/_/Volumeid64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
Spoof Instructions/Toolz/Activate Win10Home.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
Spoof Instructions/Toolz/AnyDesk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
Spoof Instructions/Toolz/DNSBench.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Spoof Instructions/Toolz/Defender Control/Defender_Settings.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
Spoof Instructions/Toolz/Defender Control/dControl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Spoof Instructions/Toolz/DelUSBCache.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
Spoof Instructions/Toolz/Free Online GUID Generator.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
Spoof Instructions/Toolz/GeoLocation.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
-
Size
23.7MB
-
MD5
04862d6db6cf3fe0fbc8aefb3f711952
-
SHA1
ac9442e75bd6ac39456f9114d62752694497cf44
-
SHA256
062629714716129610709d15bb2a8fac436ccf28b2eb3e67c754b1ef0a1d92d8
-
SHA512
28cf9f58ec69d227110c803dd3ad6528efcf837cb1ae664e2c39c11052e4998b1af272045e38d14207b9314d0a6de889877c713924f40b274ba46092b351398c
-
SSDEEP
393216:5X0sRxCa14ApBLHWIWhkvEcrfp7uSIWssp35QVGgYGHcMenumG1RIYKj1SN8Ojxi:SuCmLHRdIWsBGA8imG1RIYKj1SN8Ojxi
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: PrivaZer.exe File opened (read-only) \??\Q: PrivaZer.exe File opened (read-only) \??\T: PrivaZer.exe File opened (read-only) \??\W: PrivaZer.exe File opened (read-only) \??\G: PrivaZer.exe File opened (read-only) \??\R: PrivaZer.exe File opened (read-only) \??\S: PrivaZer.exe File opened (read-only) \??\V: PrivaZer.exe File opened (read-only) \??\Y: PrivaZer.exe File opened (read-only) \??\Z: PrivaZer.exe File opened (read-only) \??\U: PrivaZer.exe File opened (read-only) \??\X: PrivaZer.exe File opened (read-only) \??\A: PrivaZer.exe File opened (read-only) \??\J: PrivaZer.exe File opened (read-only) \??\K: PrivaZer.exe File opened (read-only) \??\L: PrivaZer.exe File opened (read-only) \??\N: PrivaZer.exe File opened (read-only) \??\P: PrivaZer.exe File opened (read-only) \??\B: PrivaZer.exe File opened (read-only) \??\E: PrivaZer.exe File opened (read-only) \??\H: PrivaZer.exe File opened (read-only) \??\I: PrivaZer.exe File opened (read-only) \??\O: PrivaZer.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrivaZer.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier PrivaZer.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0d9820271e5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010b9cd0371e5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2400 PrivaZer.exe 2400 PrivaZer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeManageVolumePrivilege 2788 SearchIndexer.exe Token: 33 2788 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2788 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2400 PrivaZer.exe 2400 PrivaZer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2400 PrivaZer.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2400 PrivaZer.exe 2400 PrivaZer.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe 1484 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1484 2788 SearchIndexer.exe 32 PID 2788 wrote to memory of 1484 2788 SearchIndexer.exe 32 PID 2788 wrote to memory of 1484 2788 SearchIndexer.exe 32 PID 2788 wrote to memory of 1660 2788 SearchIndexer.exe 33 PID 2788 wrote to memory of 1660 2788 SearchIndexer.exe 33 PID 2788 wrote to memory of 1660 2788 SearchIndexer.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2400
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵
- Modifies data under HKEY_USERS
PID:1660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5914ccd5abf3969f3b7a886c57cec5202
SHA1db8e5f8c1f038a8f3401b49d2ea394f3995ec18d
SHA2561125a4e1266c297122c7341938776ad9a5bbf782e2dfd2db7589787fcda31d30
SHA5120207b8db600c0eb47b46f663f9eeb09db5c71fab34e5221b4611413a7a19629821986da37c2ff5cb06997c09df220be59cec4d0e1cdaf567f082c89782056a77
-
Filesize
28KB
MD541307bb0634da41c6f7a3af2e2bda5dd
SHA134e3aa27f85502009da8a21955d9060873986128
SHA2567094fb1eb7fb766c2667d25ab86e61181df44d621f6a633ae0c74aeacfa3285d
SHA5124d63db1505a165c605be6e6320926c1afc9c3ef5a0b0d3f4f7b25f33d49a095f8f003c86a545c0c22ea4a89016da89043e3ed4a7abffb285866d8e212e41c9e1
-
Filesize
140B
MD53609ef20d16ad5c78e0469ca2bad3f0b
SHA1deca2f556b642ce7bb809704c9b061875af458af
SHA25636dd46ff5a34555ff8225e07e0df3fc59cbfa07c069155e483f071dc5398b6ef
SHA512500d8255c2a3133f671738b76171be7a14e8501514c9b372c2b30dd48dd89a11b7d313797b9c9c2aef51a7dee3e4ab35a607c0ac15485612c0733cd3811b776e
-
Filesize
33B
MD5b2ec006c3e67b6bd9129fe5e5fbe7b27
SHA143ad64edcb9e6cb1f2aa597ce5ff44d1b2e178c4
SHA2562d7bcda4007dc91377a9856cde2afc8dde9431514c46317f9235d2847e9249ab
SHA51262e8776de89c07f99911f4de5d4b17cf1342d45693311e49d62195bb01b1d1b2731a0c0fc7f50caa9e5379d013d286292eb54e46d0a00a6b1bc16d828d60edc0