valleyrat_s2 | d7c1332432d04e757cf1e7f684f3eaf7558df0d2b076ebe293e393151bb5391f

Analysis

max time kernel
149s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
03/04/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Ai Browser v1.0.9.msi
Size

68.9MB
MD5

a8f19829f0c6a008c9e4a2fa60c17fe1
SHA1

bd6006f43b88b4bce6929a03a34d7daf3d53829f
SHA256

d7c1332432d04e757cf1e7f684f3eaf7558df0d2b076ebe293e393151bb5391f
SHA512

e301c24967e35ec5259dd43c3109fd9e5a243b54bf1ae690ee25c2193fb9772eb8ad85d0add305dd045b6ba003a4bd0c687d2ace480b4ee7bb9a0a71f2464533
SSDEEP

1572864:O0sBl88NiDnEr1FV6YWCfHdc5nfXR3w4y5v7PjOwNAWK3CMkT/BmPoP3jqjjrNG:8RMDELV6wfdc5nW4yhOmAWlMkVC

Score

10^/10

valleyrat_s2 backdoor discovery

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

23.133.4.3:6666

23.133.4.3:7777

127.0.0.1:80

Attributes

campaign_date
2025. 2.28

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	uc.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	uc.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	uc.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	uc.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	uc.exe
File opened (read-only)	\??\U:	uc.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	uc.exe
File opened (read-only)	\??\R:	uc.exe
File opened (read-only)	\??\V:	uc.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	uc.exe
File opened (read-only)	\??\Y:	uc.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	uc.exe
File opened (read-only)	\??\J:	uc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	uc.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	uc.exe
File opened (read-only)	\??\W:	uc.exe
File opened (read-only)	\??\X:	uc.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	uc.exe
File opened (read-only)	\??\Z:	uc.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	uc.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{6FC069DC-4259-42D8-8F58-A72E9AA11461}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE54C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58e27d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA11E04AC17CE5AB2.TMP	msiexec.exe
File created	C:\Windows\Installer\e58e27b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58e27b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE396.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF856DFBE928A8CC5F.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF05FE51CEFB41F0B1.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8175A91886131C0B.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5056	uc.exe

Loads dropped DLL 9 IoCs

pid	Process
396	MsiExec.exe
396	MsiExec.exe
396	MsiExec.exe
396	MsiExec.exe
396	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
5056	uc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dd575b479d1d92260000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dd575b470000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900dd575b47000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddd575b47000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dd575b4700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Version = "16777225"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF4252F72C1166F419557E6F6666835D\CD960CF695248D24F8857AE2A91A4116	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\PackageName = "Google Ai Browser v1.0.9.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\ProductName = "Google Ai Browser v1.0.9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD960CF695248D24F8857AE2A91A4116\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD960CF695248D24F8857AE2A91A4116\PackageCode = "2249B1C099A366F4994F60EA599B2C8D"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5056	uc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	msiexec.exe
2940	msiexec.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe
5056	uc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	2940	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeMachineAccountPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeLoadDriverPrivilege	1844	msiexec.exe
Token: SeSystemProfilePrivilege	1844	msiexec.exe
Token: SeSystemtimePrivilege	1844	msiexec.exe
Token: SeProfSingleProcessPrivilege	1844	msiexec.exe
Token: SeIncBasePriorityPrivilege	1844	msiexec.exe
Token: SeCreatePagefilePrivilege	1844	msiexec.exe
Token: SeCreatePermanentPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeAuditPrivilege	1844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1844	msiexec.exe
Token: SeChangeNotifyPrivilege	1844	msiexec.exe
Token: SeRemoteShutdownPrivilege	1844	msiexec.exe
Token: SeUndockPrivilege	1844	msiexec.exe
Token: SeSyncAgentPrivilege	1844	msiexec.exe
Token: SeEnableDelegationPrivilege	1844	msiexec.exe
Token: SeManageVolumePrivilege	1844	msiexec.exe
Token: SeImpersonatePrivilege	1844	msiexec.exe
Token: SeCreateGlobalPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeMachineAccountPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeLoadDriverPrivilege	1844	msiexec.exe
Token: SeSystemProfilePrivilege	1844	msiexec.exe
Token: SeSystemtimePrivilege	1844	msiexec.exe
Token: SeProfSingleProcessPrivilege	1844	msiexec.exe
Token: SeIncBasePriorityPrivilege	1844	msiexec.exe
Token: SeCreatePagefilePrivilege	1844	msiexec.exe
Token: SeCreatePermanentPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeAuditPrivilege	1844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1844	msiexec.exe
Token: SeChangeNotifyPrivilege	1844	msiexec.exe
Token: SeRemoteShutdownPrivilege	1844	msiexec.exe
Token: SeUndockPrivilege	1844	msiexec.exe
Token: SeSyncAgentPrivilege	1844	msiexec.exe
Token: SeEnableDelegationPrivilege	1844	msiexec.exe
Token: SeManageVolumePrivilege	1844	msiexec.exe
Token: SeImpersonatePrivilege	1844	msiexec.exe
Token: SeCreateGlobalPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1844	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5056	uc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 396	2940	msiexec.exe	84
PID 2940 wrote to memory of 396	2940	msiexec.exe	84
PID 2940 wrote to memory of 396	2940	msiexec.exe	84
PID 2940 wrote to memory of 2420	2940	msiexec.exe	89
PID 2940 wrote to memory of 2420	2940	msiexec.exe	89
PID 2940 wrote to memory of 1824	2940	msiexec.exe	91
PID 2940 wrote to memory of 1824	2940	msiexec.exe	91
PID 2940 wrote to memory of 1824	2940	msiexec.exe	91
PID 1824 wrote to memory of 5056	1824	MsiExec.exe	92
PID 1824 wrote to memory of 5056	1824	MsiExec.exe	92
PID 1824 wrote to memory of 5056	1824	MsiExec.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Ai Browser v1.0.9.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 027887FB6C7AD23F81CF0080879A3E30 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2420
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B7FC15B0E79AEA637DAB0A3557CE3E3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe
    "C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe"
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58e27c.rbs

Filesize
20KB

MD5
64bb001a9b8ebeca88d10c28aaed9b88

SHA1
bc24f31369d5338258ffc550819af5047c343c62

SHA256
a941ee8c991565f5c06e1e1d7c8f1e170ae82401623cc5d7be5518f400c3760e

SHA512
19a18303ba0576854f39a10ca0dd15eb9d6ed373c4e6602d679fb131e2e3ce53de18f6d2b2586746e1351728fe560e7ff10f5003f5fadb713767f169d958b69b

Download Submit
C:\ProgramData\11UCore3.cpy

Filesize
229KB

MD5
003a41d52177c23eb8e3a7ced50324ae

SHA1
29b04e9c7f4262e5fdd7f487d3abc71a69b2de95

SHA256
0d27409ef8c71e81534006253109ce1072ad55cbf8a10a72b694426a45f6562b

SHA512
7b72294dba4d47ff4a41b3ff4ceefb7dbf2961928c1175ccc87b07852c1595d91892c2b29a5d294a0332ff9bb28ac32c4f963c40c58a7f8d9fb2829037cd4772

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI611B.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\11UCore.dll

Filesize
726KB

MD5
a042e037cd57ea1b93cfea3422a5d8a9

SHA1
aec7fac9e60565e0f5d8e3bc56308d4b5c4cdc71

SHA256
a37a054cc6244d10f4ba5be8020dc7b6b7ef7d3c2c4f1727d7779021e9150018

SHA512
5be7a1a0ec764dd404cda28aa03b3eadbca2c4e2bb2948add6650c28d2d8d3b14204e292776445ef9104ba4fb9193d430a040a4fd89f41af5939c85b8dad1306

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\uc.exe

Filesize
1.3MB

MD5
0318aa67eaebc33d51ad2f675536bac1

SHA1
2355fc33db6eef7b6d6abd93fb148109db4c3e5f

SHA256
9f8d81705e17df1fb0ac6288455d7d52ce64abdc8fc4ea6ec917f18baeae8ee0

SHA512
e0a39951c4a25aa17c16e0636218ed490212d6fcf9f8602ff64af497f103604857d735b6f391a83df314157adfc05b2c31cca5589e76b96dbdbfbf5177799647

Download Submit
C:\Users\Admin\AppData\Roaming\Mancyag\Google Ai Browser v1.0.9\update.cab

Filesize
137KB

MD5
5fd3c6cadd7ba6952b6f2a36960540e1

SHA1
4bd280842c3c68a582e7d46918024e46cf0217be

SHA256
dfc09ef787c4ed4343c1f6210c6041b4bca084929130f657475964e9ee1354f2

SHA512
512a20dc3d29d44a541433649f332344724e5460aa621d0cd1e89d5378418a3a16fd857611704f88e09d9ea93cf4e34ae70a5d6a3a632b1016eee34b2399b05f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
155321a6d44f2b8bd49c114bd5ea4483

SHA1
95df308e806da174a28ae1949031a93ffd3fa9bc

SHA256
ede4d8afaeb0fbff3a74bebf7d06c88b39213cd34376ceb06ae4b6d4f2c23274

SHA512
ac3325e28e60abd171ec8910836e8612c9db1db0ec2e66f749bba1c09020ff46fe00e8957a5e72bc071f9cbcd31029d75be15286d6e0b8b5aa060e5c2abe19f8

Download Submit
\??\Volume{475b57dd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9613b813-b4d4-4bc7-801e-02c49590f928}_OnDiskSnapshotProp

Filesize
6KB

MD5
271b975f25cb89a45031a17f09ef2dab

SHA1
a94b568b520d3367e92a613364dc1dd2c0610482

SHA256
b7765c023e0ef641068a087ed83b6c4825677ca1d91832eba553d8cdd998122d

SHA512
12626b7a66b72fe977aa819b501f237e576962bc7d59e5ab46e9f6b80421f0136f45a521db23b74a0d0981f03d0649f587212942f37559af4e0f218cfd12b3c7

Download Submit
memory/1824-111-0x0000000074AC0000-0x0000000074B3C000-memory.dmp

Filesize
496KB

Download
memory/5056-119-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-128-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-120-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-123-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-122-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-124-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-125-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-126-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-127-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-121-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-129-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-118-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/5056-116-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/5056-132-0x0000000074A30000-0x0000000074AAC000-memory.dmp

Filesize
496KB

Download
memory/5056-134-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/5056-133-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-138-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-140-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download
memory/5056-139-0x00000000038F0000-0x0000000003948000-memory.dmp

Filesize
352KB

Download