valleyrat_s2 | d7c1332432d04e757cf1e7f684f3eaf7558df0d2b076ebe293e393151bb5391f

Analysis

max time kernel
149s
max time network
146s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Ai Browser v1.0.9.msi
Size

68.9MB
MD5

a8f19829f0c6a008c9e4a2fa60c17fe1
SHA1

bd6006f43b88b4bce6929a03a34d7daf3d53829f
SHA256

d7c1332432d04e757cf1e7f684f3eaf7558df0d2b076ebe293e393151bb5391f
SHA512

e301c24967e35ec5259dd43c3109fd9e5a243b54bf1ae690ee25c2193fb9772eb8ad85d0add305dd045b6ba003a4bd0c687d2ace480b4ee7bb9a0a71f2464533
SSDEEP

1572864:O0sBl88NiDnEr1FV6YWCfHdc5nfXR3w4y5v7PjOwNAWK3CMkT/BmPoP3jqjjrNG:8RMDELV6wfdc5nW4yhOmAWlMkVC

Score

10^/10

valleyrat_s2 backdoor discovery

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

23.133.4.3:6666

23.133.4.3:7777

127.0.0.1:80

Attributes

campaign_date
2025. 2.28

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	uc.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	uc.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	uc.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	uc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	uc.exe
File opened (read-only)	\??\Q:	uc.exe
File opened (read-only)	\??\V:	uc.exe
File opened (read-only)	\??\J:	uc.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	uc.exe
File opened (read-only)	\??\M:	uc.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	uc.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	uc.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\D:	uc.exe
File opened (read-only)	\??\L:	uc.exe
File opened (read-only)	\??\O:	uc.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	uc.exe
File opened (read-only)	\??\P:	uc.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	uc.exe
File opened (read-only)	\??\R:	uc.exe
File opened (read-only)	\??\X:	uc.exe
File opened (read-only)	\??\Y:	uc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D72.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F19.tmp	msiexec.exe
File created	C:\Windows\Installer\e591c2b.msi	msiexec.exe
File created	C:\Windows\Installer\e591c29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591c29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6FC069DC-4259-42D8-8F58-A72E9AA11461}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	uc.exe

Loads dropped DLL 9 IoCs

pid	Process
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
5024	MsiExec.exe
5024	MsiExec.exe
5024	MsiExec.exe
2528	uc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000044694f4bbeae9ae40000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff00000000270101000088380144694f4b0000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e8410144694f4b000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea7144694f4b00000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000044694f4b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\PackageCode = "2249B1C099A366F4994F60EA599B2C8D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Language = "2052"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD960CF695248D24F8857AE2A91A4116\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\ProductName = "Google Ai Browser v1.0.9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\PackageName = "Google Ai Browser v1.0.9.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Version = "16777225"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2528	uc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	msiexec.exe
3052	msiexec.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe
2528	uc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeCreateTokenPrivilege	2784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2784	msiexec.exe
Token: SeLockMemoryPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeMachineAccountPrivilege	2784	msiexec.exe
Token: SeTcbPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeLoadDriverPrivilege	2784	msiexec.exe
Token: SeSystemProfilePrivilege	2784	msiexec.exe
Token: SeSystemtimePrivilege	2784	msiexec.exe
Token: SeProfSingleProcessPrivilege	2784	msiexec.exe
Token: SeIncBasePriorityPrivilege	2784	msiexec.exe
Token: SeCreatePagefilePrivilege	2784	msiexec.exe
Token: SeCreatePermanentPrivilege	2784	msiexec.exe
Token: SeBackupPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeDebugPrivilege	2784	msiexec.exe
Token: SeAuditPrivilege	2784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2784	msiexec.exe
Token: SeChangeNotifyPrivilege	2784	msiexec.exe
Token: SeRemoteShutdownPrivilege	2784	msiexec.exe
Token: SeUndockPrivilege	2784	msiexec.exe
Token: SeSyncAgentPrivilege	2784	msiexec.exe
Token: SeEnableDelegationPrivilege	2784	msiexec.exe
Token: SeManageVolumePrivilege	2784	msiexec.exe
Token: SeImpersonatePrivilege	2784	msiexec.exe
Token: SeCreateGlobalPrivilege	2784	msiexec.exe
Token: SeCreateTokenPrivilege	2784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2784	msiexec.exe
Token: SeLockMemoryPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeMachineAccountPrivilege	2784	msiexec.exe
Token: SeTcbPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeLoadDriverPrivilege	2784	msiexec.exe
Token: SeSystemProfilePrivilege	2784	msiexec.exe
Token: SeSystemtimePrivilege	2784	msiexec.exe
Token: SeProfSingleProcessPrivilege	2784	msiexec.exe
Token: SeIncBasePriorityPrivilege	2784	msiexec.exe
Token: SeCreatePagefilePrivilege	2784	msiexec.exe
Token: SeCreatePermanentPrivilege	2784	msiexec.exe
Token: SeBackupPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeDebugPrivilege	2784	msiexec.exe
Token: SeAuditPrivilege	2784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2784	msiexec.exe
Token: SeChangeNotifyPrivilege	2784	msiexec.exe
Token: SeRemoteShutdownPrivilege	2784	msiexec.exe
Token: SeUndockPrivilege	2784	msiexec.exe
Token: SeSyncAgentPrivilege	2784	msiexec.exe
Token: SeEnableDelegationPrivilege	2784	msiexec.exe
Token: SeManageVolumePrivilege	2784	msiexec.exe
Token: SeImpersonatePrivilege	2784	msiexec.exe
Token: SeCreateGlobalPrivilege	2784	msiexec.exe
Token: SeCreateTokenPrivilege	2784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2784	msiexec.exe
Token: SeLockMemoryPrivilege	2784	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	uc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4872	3052	msiexec.exe	85
PID 3052 wrote to memory of 4872	3052	msiexec.exe	85
PID 3052 wrote to memory of 4872	3052	msiexec.exe	85
PID 3052 wrote to memory of 2180	3052	msiexec.exe	98
PID 3052 wrote to memory of 2180	3052	msiexec.exe	98
PID 3052 wrote to memory of 5024	3052	msiexec.exe	100
PID 3052 wrote to memory of 5024	3052	msiexec.exe	100
PID 3052 wrote to memory of 5024	3052	msiexec.exe	100
PID 5024 wrote to memory of 2528	5024	MsiExec.exe	101
PID 5024 wrote to memory of 2528	5024	MsiExec.exe	101
PID 5024 wrote to memory of 2528	5024	MsiExec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Ai Browser v1.0.9.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 658705725D6717A49A7CD28DD7785E7D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A7B7B1DB8DF76697C66300C87BA460F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe
    "C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe"
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e591c2a.rbs

Filesize
20KB

MD5
4cad3bb04dfd42847e29c2f22f7e84a3

SHA1
96da5054b1cc5586ef3119d284dcfc23ef2416e6

SHA256
d6eb009b724252dff40a0bfed2fbcba3d52655be5f358023a5c0c0d930415da6

SHA512
54c452dcacdf4cda05f615738d47bfcebac4975b92cf0a201dbc2ffcbca27801d343b3c9585dfb0de8b7b0a4f8b066041f984d3bd15f2cd57e4297a8b0f091fd

Download Submit
C:\ProgramData\11UCore3.cpy

Filesize
229KB

MD5
003a41d52177c23eb8e3a7ced50324ae

SHA1
29b04e9c7f4262e5fdd7f487d3abc71a69b2de95

SHA256
0d27409ef8c71e81534006253109ce1072ad55cbf8a10a72b694426a45f6562b

SHA512
7b72294dba4d47ff4a41b3ff4ceefb7dbf2961928c1175ccc87b07852c1595d91892c2b29a5d294a0332ff9bb28ac32c4f963c40c58a7f8d9fb2829037cd4772

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI952B.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\11UCore.dll

Filesize
726KB

MD5
a042e037cd57ea1b93cfea3422a5d8a9

SHA1
aec7fac9e60565e0f5d8e3bc56308d4b5c4cdc71

SHA256
a37a054cc6244d10f4ba5be8020dc7b6b7ef7d3c2c4f1727d7779021e9150018

SHA512
5be7a1a0ec764dd404cda28aa03b3eadbca2c4e2bb2948add6650c28d2d8d3b14204e292776445ef9104ba4fb9193d430a040a4fd89f41af5939c85b8dad1306

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe

Filesize
1.3MB

MD5
0318aa67eaebc33d51ad2f675536bac1

SHA1
2355fc33db6eef7b6d6abd93fb148109db4c3e5f

SHA256
9f8d81705e17df1fb0ac6288455d7d52ce64abdc8fc4ea6ec917f18baeae8ee0

SHA512
e0a39951c4a25aa17c16e0636218ed490212d6fcf9f8602ff64af497f103604857d735b6f391a83df314157adfc05b2c31cca5589e76b96dbdbfbf5177799647

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\update.cab

Filesize
137KB

MD5
5fd3c6cadd7ba6952b6f2a36960540e1

SHA1
4bd280842c3c68a582e7d46918024e46cf0217be

SHA256
dfc09ef787c4ed4343c1f6210c6041b4bca084929130f657475964e9ee1354f2

SHA512
512a20dc3d29d44a541433649f332344724e5460aa621d0cd1e89d5378418a3a16fd857611704f88e09d9ea93cf4e34ae70a5d6a3a632b1016eee34b2399b05f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.0MB

MD5
f816615edc85ddd3adbc25b55e026086

SHA1
2c539837ea22608ddb137d11045923385461a2e8

SHA256
71cb370f93048a7fba116ee2342f1125020ca4e421e6825a808d677b582f6da4

SHA512
e81f9b899e6c994cc1d0e8b542c96a353df8fa45f654c75f233d6497ef7dd16b33becdbac10396a8a8f63f5eaff61b8c61f7aef681c9c23887fc24b5105fca6f

Download Submit
\??\Volume{4b4f6944-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{919ef41d-4c24-4fef-b1e7-d2ffa0a4981e}_OnDiskSnapshotProp

Filesize
6KB

MD5
ee5ed6550c8dd2fc6b8ddc626a4b9858

SHA1
9119f248158999d1ba288f865e3e0c779e6c72f1

SHA256
205b08d2c6cb891151821d45e2a705593301b7c52e9474751c07eab6fb1c471d

SHA512
a86a5f1e9c2f8331c3df00600006e6dae5cea53624160645efe1c5f7ec12fbb7b26af3ad36fc99108e72fe6f35de162fd3c318c9f6b4d44e311a499e61940810

Download Submit
memory/2528-131-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-127-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-120-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-121-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-122-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-123-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-125-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-124-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-126-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-118-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/2528-128-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-129-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-130-0x0000000002F10000-0x0000000003010000-memory.dmp

Filesize
1024KB

Download
memory/2528-140-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-132-0x0000000074AC0000-0x0000000074B3C000-memory.dmp

Filesize
496KB

Download
memory/2528-135-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/2528-134-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-139-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/2528-141-0x00000000037D0000-0x0000000003828000-memory.dmp

Filesize
352KB

Download
memory/5024-114-0x0000000074AC0000-0x0000000074B3C000-memory.dmp

Filesize
496KB

Download