valleyrat_s2 | 2974e4eb86ceb963caf3b6dbca86995bd31955df16b00e5735178a4a98b85e00

Analysis

max time kernel
149s
max time network
147s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google AI Browser v1.3.3.msi
Size

68.9MB
MD5

fab734d9abaa41a7c47795c828419bbc
SHA1

f6c4d2800b8658f4d21c6c6438109829fbb722c0
SHA256

2974e4eb86ceb963caf3b6dbca86995bd31955df16b00e5735178a4a98b85e00
SHA512

0ea366f757e84253a7583b77bdffa16ce74e92a20cd4dde4e0a3fcede0a6a258e9ff3cfb5def49a7fde3d1ee1309fe54683b41986e3ac4ec136757d666714678
SSDEEP

1572864:n0uJbTTPj3Rbu7Fh0Cv7OuQ5kVxc6sj/kcAXpUmUewr5/Rf3C/mAmhen3Z/:FvT9u7Ak7OuQ16sEZUm6r5JV

Score

10^/10

valleyrat_s2 backdoor discovery

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

23.133.4.6:6666

23.133.4.6:7777

127.0.0.1:80

Attributes

campaign_date
2025. 3. 2

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	uc.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	uc.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	uc.exe
File opened (read-only)	\??\Y:	uc.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\D:	uc.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	uc.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	uc.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	uc.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	uc.exe
File opened (read-only)	\??\L:	uc.exe
File opened (read-only)	\??\W:	uc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	uc.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	uc.exe
File opened (read-only)	\??\O:	uc.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	uc.exe
File opened (read-only)	\??\V:	uc.exe
File opened (read-only)	\??\Z:	uc.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	uc.exe
File opened (read-only)	\??\Q:	uc.exe
File opened (read-only)	\??\R:	uc.exe
File opened (read-only)	\??\S:	uc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI240A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{96DFEDED-7E2A-4733-8BC7-8AC33369D40C}	msiexec.exe
File created	C:\Windows\Installer\e592340.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59233e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI260E.tmp	msiexec.exe
File created	C:\Windows\Installer\e59233e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5576	uc.exe

Loads dropped DLL 9 IoCs

pid	Process
4288	MsiExec.exe
4288	MsiExec.exe
4288	MsiExec.exe
4288	MsiExec.exe
4288	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
5576	uc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000df9142892386a7a60000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff000000002701010000883801df9142890000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e84101df914289000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea71df91428900000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000df91428900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\ProductName = "Google AI Browser v1.3.3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DEDEFD69A2E73374B87CA83C33964DC0\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\PackageName = "Google AI Browser v1.3.3.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\PackageCode = "6A21E92FE7F6A7C409DF2B746123F477"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5576	uc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	msiexec.exe
852	msiexec.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe
5576	uc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	4552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4552	msiexec.exe
Token: SeLockMemoryPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeMachineAccountPrivilege	4552	msiexec.exe
Token: SeTcbPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeLoadDriverPrivilege	4552	msiexec.exe
Token: SeSystemProfilePrivilege	4552	msiexec.exe
Token: SeSystemtimePrivilege	4552	msiexec.exe
Token: SeProfSingleProcessPrivilege	4552	msiexec.exe
Token: SeIncBasePriorityPrivilege	4552	msiexec.exe
Token: SeCreatePagefilePrivilege	4552	msiexec.exe
Token: SeCreatePermanentPrivilege	4552	msiexec.exe
Token: SeBackupPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeDebugPrivilege	4552	msiexec.exe
Token: SeAuditPrivilege	4552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4552	msiexec.exe
Token: SeChangeNotifyPrivilege	4552	msiexec.exe
Token: SeRemoteShutdownPrivilege	4552	msiexec.exe
Token: SeUndockPrivilege	4552	msiexec.exe
Token: SeSyncAgentPrivilege	4552	msiexec.exe
Token: SeEnableDelegationPrivilege	4552	msiexec.exe
Token: SeManageVolumePrivilege	4552	msiexec.exe
Token: SeImpersonatePrivilege	4552	msiexec.exe
Token: SeCreateGlobalPrivilege	4552	msiexec.exe
Token: SeCreateTokenPrivilege	4552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4552	msiexec.exe
Token: SeLockMemoryPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeMachineAccountPrivilege	4552	msiexec.exe
Token: SeTcbPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeLoadDriverPrivilege	4552	msiexec.exe
Token: SeSystemProfilePrivilege	4552	msiexec.exe
Token: SeSystemtimePrivilege	4552	msiexec.exe
Token: SeProfSingleProcessPrivilege	4552	msiexec.exe
Token: SeIncBasePriorityPrivilege	4552	msiexec.exe
Token: SeCreatePagefilePrivilege	4552	msiexec.exe
Token: SeCreatePermanentPrivilege	4552	msiexec.exe
Token: SeBackupPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeDebugPrivilege	4552	msiexec.exe
Token: SeAuditPrivilege	4552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4552	msiexec.exe
Token: SeChangeNotifyPrivilege	4552	msiexec.exe
Token: SeRemoteShutdownPrivilege	4552	msiexec.exe
Token: SeUndockPrivilege	4552	msiexec.exe
Token: SeSyncAgentPrivilege	4552	msiexec.exe
Token: SeEnableDelegationPrivilege	4552	msiexec.exe
Token: SeManageVolumePrivilege	4552	msiexec.exe
Token: SeImpersonatePrivilege	4552	msiexec.exe
Token: SeCreateGlobalPrivilege	4552	msiexec.exe
Token: SeCreateTokenPrivilege	4552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4552	msiexec.exe
Token: SeLockMemoryPrivilege	4552	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4552	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5576	uc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4288	852	msiexec.exe	83
PID 852 wrote to memory of 4288	852	msiexec.exe	83
PID 852 wrote to memory of 4288	852	msiexec.exe	83
PID 852 wrote to memory of 5984	852	msiexec.exe	95
PID 852 wrote to memory of 5984	852	msiexec.exe	95
PID 852 wrote to memory of 4080	852	msiexec.exe	97
PID 852 wrote to memory of 4080	852	msiexec.exe	97
PID 852 wrote to memory of 4080	852	msiexec.exe	97
PID 4080 wrote to memory of 5576	4080	MsiExec.exe	98
PID 4080 wrote to memory of 5576	4080	MsiExec.exe	98
PID 4080 wrote to memory of 5576	4080	MsiExec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google AI Browser v1.3.3.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F9FE30B5166D64E20FE751038EA7C1C9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E6A3013A549ACF246705D542D989DD2B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe
    "C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe"
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59233f.rbs

Filesize
20KB

MD5
df299a2a7721361459b33a765631c49e

SHA1
85c80c0fe2f171b95b1c00b45af0fa0cc63184b4

SHA256
343dd80c174c6e16300a51ebe1f80cbb22f82f7875d0ac75c4195730e5b99e47

SHA512
d22a26737f608691875891db6f6938dd5d11a76c2766f94af718ace1d3ef9fa21c8b6526a84effa7f9ee06d22341dbfed2ac6eaaaa4163efb86ae436b1f246f8

Download Submit
C:\ProgramData\11UCore3.cpy

Filesize
229KB

MD5
003a41d52177c23eb8e3a7ced50324ae

SHA1
29b04e9c7f4262e5fdd7f487d3abc71a69b2de95

SHA256
0d27409ef8c71e81534006253109ce1072ad55cbf8a10a72b694426a45f6562b

SHA512
7b72294dba4d47ff4a41b3ff4ceefb7dbf2961928c1175ccc87b07852c1595d91892c2b29a5d294a0332ff9bb28ac32c4f963c40c58a7f8d9fb2829037cd4772

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9829.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\11UCore.dll

Filesize
725KB

MD5
f445081a2d57529ecf5404b4ee58bfe0

SHA1
7f52c1e26ecd229e1d0624d8e5b32bc9087c23b0

SHA256
632feb47233ed59b5c90f1d80d502e700b3a365238b6f82fc14f5d72da7f670c

SHA512
6bded997b5f1bafffc5b91eb940868d71a4a1420ccfc1ad4b449fc85151af4cebb9410df2be48bb4eac6b095c3414829db32c84aedbb9b0028443dd022d93ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe

Filesize
1.3MB

MD5
0318aa67eaebc33d51ad2f675536bac1

SHA1
2355fc33db6eef7b6d6abd93fb148109db4c3e5f

SHA256
9f8d81705e17df1fb0ac6288455d7d52ce64abdc8fc4ea6ec917f18baeae8ee0

SHA512
e0a39951c4a25aa17c16e0636218ed490212d6fcf9f8602ff64af497f103604857d735b6f391a83df314157adfc05b2c31cca5589e76b96dbdbfbf5177799647

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\update.cab

Filesize
137KB

MD5
b7ccf4e5b87bcd55479c86024ef8bde5

SHA1
a3a36e99e2425d696cea65a18fccd25fa2be81a7

SHA256
c57fd5f1a50186b87c6a50ad71524992aafb33bcac5b54b0538aa66382efe6bd

SHA512
79767eeda8a30edc27c18382c7e98cf0298977d3f7c16a874ecb2263e93bd90ecae592cbf53e57c1f458ca4994835e2f925b922272e8ec4331da645dd959cd72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.0MB

MD5
64becbcdddb5bd555d3264191377e1b8

SHA1
8c852cda8409e2e71e41effd30706db2abffb31a

SHA256
86ea00a2bcca32c53414549e8fa9404b75dff8a3cbc6ae84854cd7fa36b55b72

SHA512
639532ee14d6621b80d45221d5ec487f739d75019c13853c0b88801f5d403ed9d425f083631c4af7779d5a712c55a466a2ff17fbb3b40f3254025a47ca47e1b3

Download Submit
\??\Volume{894291df-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{ea0f8ccb-2d78-4a00-9bd9-44ee12c788f5}_OnDiskSnapshotProp

Filesize
6KB

MD5
1d5a08f288f73d7702233e611e56bd4e

SHA1
63530428dbaaf65244dd876028598d63af225a56

SHA256
6f7e73af13300145105c8d5aab0c75df78f16542fb863a9f2c527095b5eab559

SHA512
e256e6a7031a8e450b09ac70d5e458ab53864322f5fcd522d032555cc32cc062602bfdc690fe32c04d388722bfa8130aba83ae9bfb7a87cafb6e4e11431c4d3e

Download Submit
memory/4080-113-0x0000000074DE0000-0x0000000074E5C000-memory.dmp

Filesize
496KB

Download
memory/5576-127-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-128-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-121-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-122-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-123-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-124-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-125-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-126-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-119-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-120-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-129-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-116-0x00000000033A0000-0x00000000034A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-118-0x00000000035A0000-0x00000000036A0000-memory.dmp

Filesize
1024KB

Download
memory/5576-132-0x0000000074DE0000-0x0000000074E5C000-memory.dmp

Filesize
496KB

Download
memory/5576-134-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/5576-133-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-138-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-141-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download
memory/5576-140-0x0000000003E40000-0x0000000003E98000-memory.dmp

Filesize
352KB

Download