7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof Instructions/Toolz/PrivaZerPortable/App/PrivaZer/PrivaZer.exe
Size

23.7MB
MD5

04862d6db6cf3fe0fbc8aefb3f711952
SHA1

ac9442e75bd6ac39456f9114d62752694497cf44
SHA256

062629714716129610709d15bb2a8fac436ccf28b2eb3e67c754b1ef0a1d92d8
SHA512

28cf9f58ec69d227110c803dd3ad6528efcf837cb1ae664e2c39c11052e4998b1af272045e38d14207b9314d0a6de889877c713924f40b274ba46092b351398c
SSDEEP

393216:5X0sRxCa14ApBLHWIWhkvEcrfp7uSIWssp35QVGgYGHcMenumG1RIYKj1SN8Ojxi:SuCmLHRdIWsBGA8imG1RIYKj1SN8Ojxi

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	PrivaZer.exe
File opened (read-only)	\??\X:	PrivaZer.exe
File opened (read-only)	\??\Y:	PrivaZer.exe
File opened (read-only)	\??\H:	PrivaZer.exe
File opened (read-only)	\??\M:	PrivaZer.exe
File opened (read-only)	\??\Q:	PrivaZer.exe
File opened (read-only)	\??\I:	PrivaZer.exe
File opened (read-only)	\??\T:	PrivaZer.exe
File opened (read-only)	\??\V:	PrivaZer.exe
File opened (read-only)	\??\R:	PrivaZer.exe
File opened (read-only)	\??\S:	PrivaZer.exe
File opened (read-only)	\??\W:	PrivaZer.exe
File opened (read-only)	\??\A:	PrivaZer.exe
File opened (read-only)	\??\K:	PrivaZer.exe
File opened (read-only)	\??\N:	PrivaZer.exe
File opened (read-only)	\??\J:	PrivaZer.exe
File opened (read-only)	\??\L:	PrivaZer.exe
File opened (read-only)	\??\O:	PrivaZer.exe
File opened (read-only)	\??\P:	PrivaZer.exe
File opened (read-only)	\??\Z:	PrivaZer.exe
File opened (read-only)	\??\B:	PrivaZer.exe
File opened (read-only)	\??\E:	PrivaZer.exe
File opened (read-only)	\??\G:	PrivaZer.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7328876c-c4b3-4821-9060-ca7aa87bde53}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1194130065-3471212556-1656947724-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7328876c-c4b3-4821-9060-ca7aa87bde53}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1194130065-3471212556-1656947724-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivaZer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	PrivaZer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cdcef0e71e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dcadc0e71e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de2bdf0e71e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d152e60e71e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc780c0f71e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008940d30e71e5da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4440	PrivaZer.exe
4440	PrivaZer.exe
2500	svchost.exe
2500	svchost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	1344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4440	PrivaZer.exe
4440	PrivaZer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4440	PrivaZer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4440	PrivaZer.exe
4440	PrivaZer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3792	1344	SearchIndexer.exe	88
PID 1344 wrote to memory of 3792	1344	SearchIndexer.exe	88
PID 1344 wrote to memory of 4912	1344	SearchIndexer.exe	89
PID 1344 wrote to memory of 4912	1344	SearchIndexer.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:3912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\000\PrivaZer.default.ini

Filesize
28KB

MD5
7d3bf243fbd93d4bbee822f666a03283

SHA1
0abab040ef205d84179ac025dca355b595294009

SHA256
98174317a9bfa3f2a16291213cb74f6af25ae71c38cd335f097f665349f0dc5c

SHA512
ca50cea971f94027aa66c508a7afd87bf8aa62a96d765c654b64085f7075444b51fca6d88afcc7aaf573c4b2533b15c80a26ece5f0e186a9c7480ee0f433ba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\000\data.ini

Filesize
33B

MD5
b2ec006c3e67b6bd9129fe5e5fbe7b27

SHA1
43ad64edcb9e6cb1f2aa597ce5ff44d1b2e178c4

SHA256
2d7bcda4007dc91377a9856cde2afc8dde9431514c46317f9235d2847e9249ab

SHA512
62e8776de89c07f99911f4de5d4b17cf1342d45693311e49d62195bb01b1d1b2731a0c0fc7f50caa9e5379d013d286292eb54e46d0a00a6b1bc16d828d60edc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\000\data.ini

Filesize
140B

MD5
59ede453124c59bcee6621a1e32f6675

SHA1
a877e832dec181d862c49d86ced904c2e08260ad

SHA256
a387dee4526fe17f5127ad8c5c4c866f2b8ed93f45e084c03d3f50ce13e24936

SHA512
cac982e7648fef6ff78021a0a113e2ea5571ddb4f8cf08f26873d0a61d859adb213e9bfc5347df67b73348b750051e92caf864e144e1ce6bb839fb5e0af7d58c

Download Submit
memory/1344-39-0x00000218E13B0000-0x00000218E13C0000-memory.dmp

Filesize
64KB

Download
memory/1344-23-0x00000218E12B0000-0x00000218E12C0000-memory.dmp

Filesize
64KB

Download
memory/1344-121-0x00000218E7A90000-0x00000218E7A98000-memory.dmp

Filesize
32KB

Download
memory/1344-55-0x00000218E58A0000-0x00000218E58A8000-memory.dmp

Filesize
32KB

Download
memory/2500-157-0x000001CE8CF70000-0x000001CE8CF71000-memory.dmp

Filesize
4KB

Download
memory/2500-155-0x000001CE8D470000-0x000001CE8D471000-memory.dmp

Filesize
4KB

Download
memory/2500-158-0x000001CE8CF60000-0x000001CE8CF61000-memory.dmp

Filesize
4KB

Download
memory/2500-160-0x000001CE8CF60000-0x000001CE8CF61000-memory.dmp

Filesize
4KB

Download
memory/2500-163-0x000001CE8CEB0000-0x000001CE8CEB1000-memory.dmp

Filesize
4KB

Download
memory/2500-116-0x000001CE8CF60000-0x000001CE8CF61000-memory.dmp

Filesize
4KB

Download
memory/2500-154-0x000001CE8D480000-0x000001CE8D481000-memory.dmp

Filesize
4KB

Download
memory/4440-8-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-123-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-124-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/4440-118-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-0-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/4440-7-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-6-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-5-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/4440-1-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download