valleyrat_s2 | 2974e4eb86ceb963caf3b6dbca86995bd31955df16b00e5735178a4a98b85e00

Analysis

max time kernel
149s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
03/04/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google AI Browser v1.3.3.msi
Size

68.9MB
MD5

fab734d9abaa41a7c47795c828419bbc
SHA1

f6c4d2800b8658f4d21c6c6438109829fbb722c0
SHA256

2974e4eb86ceb963caf3b6dbca86995bd31955df16b00e5735178a4a98b85e00
SHA512

0ea366f757e84253a7583b77bdffa16ce74e92a20cd4dde4e0a3fcede0a6a258e9ff3cfb5def49a7fde3d1ee1309fe54683b41986e3ac4ec136757d666714678
SSDEEP

1572864:n0uJbTTPj3Rbu7Fh0Cv7OuQ5kVxc6sj/kcAXpUmUewr5/Rf3C/mAmhen3Z/:FvT9u7Ak7OuQ16sEZUm6r5JV

Score

10^/10

valleyrat_s2 backdoor discovery

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

23.133.4.6:6666

23.133.4.6:7777

127.0.0.1:80

Attributes

campaign_date
2025. 3. 2

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	uc.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	uc.exe
File opened (read-only)	\??\T:	uc.exe
File opened (read-only)	\??\U:	uc.exe
File opened (read-only)	\??\V:	uc.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	uc.exe
File opened (read-only)	\??\O:	uc.exe
File opened (read-only)	\??\X:	uc.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	uc.exe
File opened (read-only)	\??\R:	uc.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	uc.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	uc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	uc.exe
File opened (read-only)	\??\G:	uc.exe
File opened (read-only)	\??\L:	uc.exe
File opened (read-only)	\??\S:	uc.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	uc.exe
File opened (read-only)	\??\K:	uc.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	uc.exe
File opened (read-only)	\??\W:	uc.exe
File opened (read-only)	\??\Z:	uc.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A54.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8740944A269DD325.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2754.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5DDE57E61C0A3EFF.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{96DFEDED-7E2A-4733-8BC7-8AC33369D40C}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDDBB338D75EBEBE5.TMP	msiexec.exe
File created	C:\Windows\Installer\e5926f9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3830A559006A0802.TMP	msiexec.exe
File created	C:\Windows\Installer\e5926f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5926f7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2801.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	uc.exe

Loads dropped DLL 9 IoCs

pid	Process
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
3672	MsiExec.exe
3672	MsiExec.exe
3672	MsiExec.exe
3052	uc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c9263343ee389390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c9263340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c926334000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c926334000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c92633400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D\DEDEFD69A2E73374B87CA83C33964DC0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\PackageName = "Google AI Browser v1.3.3.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DEDEFD69A2E73374B87CA83C33964DC0\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\ProductName = "Google AI Browser v1.3.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\PackageCode = "6A21E92FE7F6A7C409DF2B746123F477"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DEDEFD69A2E73374B87CA83C33964DC0\SourceList\Net	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3052	uc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	msiexec.exe
3844	msiexec.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe
3052	uc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3844	msiexec.exe
Token: SeCreateTokenPrivilege	3548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3548	msiexec.exe
Token: SeLockMemoryPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeMachineAccountPrivilege	3548	msiexec.exe
Token: SeTcbPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeLoadDriverPrivilege	3548	msiexec.exe
Token: SeSystemProfilePrivilege	3548	msiexec.exe
Token: SeSystemtimePrivilege	3548	msiexec.exe
Token: SeProfSingleProcessPrivilege	3548	msiexec.exe
Token: SeIncBasePriorityPrivilege	3548	msiexec.exe
Token: SeCreatePagefilePrivilege	3548	msiexec.exe
Token: SeCreatePermanentPrivilege	3548	msiexec.exe
Token: SeBackupPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeDebugPrivilege	3548	msiexec.exe
Token: SeAuditPrivilege	3548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3548	msiexec.exe
Token: SeChangeNotifyPrivilege	3548	msiexec.exe
Token: SeRemoteShutdownPrivilege	3548	msiexec.exe
Token: SeUndockPrivilege	3548	msiexec.exe
Token: SeSyncAgentPrivilege	3548	msiexec.exe
Token: SeEnableDelegationPrivilege	3548	msiexec.exe
Token: SeManageVolumePrivilege	3548	msiexec.exe
Token: SeImpersonatePrivilege	3548	msiexec.exe
Token: SeCreateGlobalPrivilege	3548	msiexec.exe
Token: SeCreateTokenPrivilege	3548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3548	msiexec.exe
Token: SeLockMemoryPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeMachineAccountPrivilege	3548	msiexec.exe
Token: SeTcbPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeLoadDriverPrivilege	3548	msiexec.exe
Token: SeSystemProfilePrivilege	3548	msiexec.exe
Token: SeSystemtimePrivilege	3548	msiexec.exe
Token: SeProfSingleProcessPrivilege	3548	msiexec.exe
Token: SeIncBasePriorityPrivilege	3548	msiexec.exe
Token: SeCreatePagefilePrivilege	3548	msiexec.exe
Token: SeCreatePermanentPrivilege	3548	msiexec.exe
Token: SeBackupPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeDebugPrivilege	3548	msiexec.exe
Token: SeAuditPrivilege	3548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3548	msiexec.exe
Token: SeChangeNotifyPrivilege	3548	msiexec.exe
Token: SeRemoteShutdownPrivilege	3548	msiexec.exe
Token: SeUndockPrivilege	3548	msiexec.exe
Token: SeSyncAgentPrivilege	3548	msiexec.exe
Token: SeEnableDelegationPrivilege	3548	msiexec.exe
Token: SeManageVolumePrivilege	3548	msiexec.exe
Token: SeImpersonatePrivilege	3548	msiexec.exe
Token: SeCreateGlobalPrivilege	3548	msiexec.exe
Token: SeCreateTokenPrivilege	3548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3548	msiexec.exe
Token: SeLockMemoryPrivilege	3548	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3548	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	uc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 5004	3844	msiexec.exe	83
PID 3844 wrote to memory of 5004	3844	msiexec.exe	83
PID 3844 wrote to memory of 5004	3844	msiexec.exe	83
PID 3844 wrote to memory of 2628	3844	msiexec.exe	88
PID 3844 wrote to memory of 2628	3844	msiexec.exe	88
PID 3844 wrote to memory of 3672	3844	msiexec.exe	90
PID 3844 wrote to memory of 3672	3844	msiexec.exe	90
PID 3844 wrote to memory of 3672	3844	msiexec.exe	90
PID 3672 wrote to memory of 3052	3672	MsiExec.exe	91
PID 3672 wrote to memory of 3052	3672	MsiExec.exe	91
PID 3672 wrote to memory of 3052	3672	MsiExec.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google AI Browser v1.3.3.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2B1B2E2D2D0B928B9F9741973A100E6D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5004
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C62114AECA13F49AB431DEABDCD634CA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe
    "C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe"
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5926f8.rbs

Filesize
20KB

MD5
cc304074db7d45852df2a8229eeca857

SHA1
ce74a4a94922862e2f9f5a841d79257e9fc043a8

SHA256
67ade901be284b0fe750f97f9fa4d80ac5d7a8a9d1ab98e69b5250d77f3ab28e

SHA512
6fff03e5254699ac3de0490d0dd869c9b2abef2103672055c9f1f73f00b608332704c88a047aaaae7fa3110ef5920943487a8ff0e56d66ded061592bd178f530

Download Submit
C:\ProgramData\11UCore3.cpy

Filesize
229KB

MD5
003a41d52177c23eb8e3a7ced50324ae

SHA1
29b04e9c7f4262e5fdd7f487d3abc71a69b2de95

SHA256
0d27409ef8c71e81534006253109ce1072ad55cbf8a10a72b694426a45f6562b

SHA512
7b72294dba4d47ff4a41b3ff4ceefb7dbf2961928c1175ccc87b07852c1595d91892c2b29a5d294a0332ff9bb28ac32c4f963c40c58a7f8d9fb2829037cd4772

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7FBF.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\11UCore.dll

Filesize
725KB

MD5
f445081a2d57529ecf5404b4ee58bfe0

SHA1
7f52c1e26ecd229e1d0624d8e5b32bc9087c23b0

SHA256
632feb47233ed59b5c90f1d80d502e700b3a365238b6f82fc14f5d72da7f670c

SHA512
6bded997b5f1bafffc5b91eb940868d71a4a1420ccfc1ad4b449fc85151af4cebb9410df2be48bb4eac6b095c3414829db32c84aedbb9b0028443dd022d93ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\uc.exe

Filesize
1.3MB

MD5
0318aa67eaebc33d51ad2f675536bac1

SHA1
2355fc33db6eef7b6d6abd93fb148109db4c3e5f

SHA256
9f8d81705e17df1fb0ac6288455d7d52ce64abdc8fc4ea6ec917f18baeae8ee0

SHA512
e0a39951c4a25aa17c16e0636218ed490212d6fcf9f8602ff64af497f103604857d735b6f391a83df314157adfc05b2c31cca5589e76b96dbdbfbf5177799647

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google AI Browser v1.3.3\update.cab

Filesize
137KB

MD5
b7ccf4e5b87bcd55479c86024ef8bde5

SHA1
a3a36e99e2425d696cea65a18fccd25fa2be81a7

SHA256
c57fd5f1a50186b87c6a50ad71524992aafb33bcac5b54b0538aa66382efe6bd

SHA512
79767eeda8a30edc27c18382c7e98cf0298977d3f7c16a874ecb2263e93bd90ecae592cbf53e57c1f458ca4994835e2f925b922272e8ec4331da645dd959cd72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
6c0e0c5f529845a10448ba6292bfd44a

SHA1
f876546a173062d775ab3ff574765801a2007e7a

SHA256
8fd162b6897cbcb6e43ae3453af4e500577d8449fb6d2ece1ab9e6830c1fbd4d

SHA512
1139df404c4fe626dec526145b9a3fea87475d6e399815c601c1c7ea21a569df088c86bacdbe2713778d251e205bbb88be2ea2fe8902a4b8cb2eec19735712f8

Download Submit
\??\Volume{3463923c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b1c3a84d-868d-41ed-bdb4-8fa1cdbb975e}_OnDiskSnapshotProp

Filesize
6KB

MD5
51a4aab6a09d17394855811053ffe6a0

SHA1
2587f278c27469e50ad0df6a375245b770cfae99

SHA256
fbca3b94082e0c3a895142a201b210606c62ca4b981a38cdc140b0cab8f96219

SHA512
59dc97521502b9ed214ac90a6ca7866c463d07949f98e39cf25690977d7bf9f7f1ccc33cdb1015c6d1088d3662da4c97f669900531fee07da62ec3db9f62c20b

Download Submit
memory/3052-124-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-127-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-120-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-121-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-119-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-118-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-140-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-125-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-126-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-116-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/3052-128-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-129-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-130-0x0000000074D00000-0x0000000074D7C000-memory.dmp

Filesize
496KB

Download
memory/3052-131-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-132-0x0000000002F20000-0x0000000003020000-memory.dmp

Filesize
1024KB

Download
memory/3052-133-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-134-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/3052-138-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3052-139-0x0000000003750000-0x00000000037A8000-memory.dmp

Filesize
352KB

Download
memory/3672-113-0x0000000074D00000-0x0000000074D7C000-memory.dmp

Filesize
496KB

Download