sakula | e239a0b9b21b1a8bd6030651664a305da5eb16918cd149e7bf4c0d1d1ad4aed7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
10/04/2025, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe
Size

89KB
MD5

c2ba8a89f39f40ddffcb97dab4fcd443
SHA1

506cda450ca18935ee14f453f2b33c4a43f99963
SHA256

e239a0b9b21b1a8bd6030651664a305da5eb16918cd149e7bf4c0d1d1ad4aed7
SHA512

7709b6ab86ff4ec72af5f2de596881819b64743c788807e09196d2e9f33c33d27cf767578f1b557edb4154669f91d9620b864d4446135987531b40ecd98cb82d
SSDEEP

1536:PQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtra:w29DkEGRQixVSjLaes5G30B+

Score

10^/10

sakula discovery persistence rat trojan

Malware Config

Extracted

Family

sakula

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Sakula family
sakula

Sakula payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000002823f-3.dat	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe

Executes dropped EXE 2 IoCs

pid	Process
5648	MediaCenter.exe
5232	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com
46	ip-api.com
47	ip-api.com
48	ip-api.com
49	ip-api.com
39	ip-api.com
42	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4448	cmd.exe
1252	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133887974681022538"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1252	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeIncBasePriorityPrivilege	4704	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 5648	4704	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe	84
PID 4704 wrote to memory of 5648	4704	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe	84
PID 4704 wrote to memory of 5648	4704	2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe	84
PID 5656 wrote to memory of 5232	5656	cmd.exe	85
PID 5656 wrote to memory of 5232	5656	cmd.exe	85
PID 5656 wrote to memory of 5232	5656	cmd.exe	85
PID 924 wrote to memory of 5776	924	chrome.exe	89
PID 924 wrote to memory of 5776	924	chrome.exe	89
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 64	924	chrome.exe	90
PID 924 wrote to memory of 4668	924	chrome.exe	91
PID 924 wrote to memory of 4668	924	chrome.exe	91
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92
PID 924 wrote to memory of 4736	924	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2025-04-01_c2ba8a89f39f40ddffcb97dab4fcd443_amadey_rhadamanthys_sakula_smoke-loader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4448
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5656
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x94,0x228,0x7ffa2fbcdcf8,0x7ffa2fbcdd04,0x7ffa2fbcdd10
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=632,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1592,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4232 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5600,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5416,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5780,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5716,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5928,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5616,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5488,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3164,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4660,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4756,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3420 /prefetch:2
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4788,i,14138098142788987932,259058044407070905,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5d1c7ebbc6a2b2d695e44b986ee97cf3

SHA1
5c774f7517d8128238a2dc4c288013270ea8c531

SHA256
72b2b77d6f33aca2c7fb174deb1dbc4623fc878b5ea6597663391479ed6f0efd

SHA512
2f5143636bc5586bc0fea5a9062c655eb5797b86e184bb054ed9880c780b3b2b72c2d21b21b13b12fbb6be2b29c4bef30168ecabd1330b625db2e5cce0a7a44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bff3f18c4eafe8b2705676c7dd264bab

SHA1
e74795e204b68232431e5cc3b7dff83e0dbf5ea3

SHA256
8d864aac63110c7f28964517375675492987009fe14be163680185b17f4d5196

SHA512
1e87bc5a4019a5c1cf0b49928347e5f1996395acefb2343fc779f482620b6a1c9106b03cd0929134d94f7dcdb74a468ed71335b1eec3ce76750e7e7777090ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3094ce6752a165202afaeb73999d20bc

SHA1
cc9948f9ae5cba80a26d6b8d73e06d5b142b2dd8

SHA256
6d67317ddc0a3d4b74a9d032c305cccf4f1a2d9a2bb4cc459131c2b2a880f7c6

SHA512
959b420c5b87cfcd8f29962530b6fbcb5480bf540c1185ecd30beb16f6c8026df93f2928139990e63c7ce3f4f8b280e08778b8b8cc9b3a597737ea9f7fcd4243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0e6ace63834ef417ae11ccdc709dd834

SHA1
1e62d5a36498b0ceb2722da6443d3605dc169ffa

SHA256
59da958a1a9eae1f3b56375f469f13911a59f7862e897bb751d6e50e35ab14ac

SHA512
15bd28d8fe838560315c6d11f5917c65836766c8cac622df74625e3ae61511372606ff7087f3c75d179c0e43e528445423d21c5ffa8876a7791a7db68653ee4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
70aa2ed9d33cbb6c754e4ecdafa02c33

SHA1
017ca0ea3330e42a7fb437f62f6fab502c9a9b9d

SHA256
52e0d013445a7ab06665818b9299ee915acc33641380be25054cabd1ed920477

SHA512
10543111b43028b9bf15802e241f4906ade9ab9a518341f88d96d885a4d8b4dad84ea66497f546eaed25894ce01897ad6b1fad079d61e9109baf6906e81291ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b15a0fdfef39ab2425870072eb290ee3

SHA1
16cf5505287b29016922e915ca192f8f0ab431cd

SHA256
977a2c10b61f271c1ef79cf8b1d4a48e63d860fa716286f3e883f2a24a7d61bd

SHA512
ce519e455d5b737a27c818bc532820654052f76b4a45dc857c5d8c768a9e85a4bd897a08866595ade1ab3ed3d213f7e1839212129dfb33a4415c8fc76450bc76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
275d5aecd149fcd4361860ea3a5eb355

SHA1
0db5473128971e681c27138273f5b48255dca93a

SHA256
f6606091de340877e2e531034f277128acd7c1e87f4e21ee0c80db05d565339d

SHA512
c5fd306171093af0bc20ee452909c2c64d2a27d774a8da35f2858c8c22dcb22a129d4df88913dcee5426809328f3d3374b3c8e51c3ee1169e4e47613e2c3ac2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6466c54bd0b6165e2d209092773d8c3a

SHA1
176ad34b8eeea8a35ce6b61617f2a15a6eb1bbc0

SHA256
edacee9dc2c5b3d5a5c480b163e2ba2f428965cde02c923b3c226e6d44c640fb

SHA512
9b29451c20130be34c880ef5cb899d12fde92f2e8057ad1fc9e2aa97869cfcf985f342db3cf880057dea553c046114b8bee2228954e2dde984338a72f098579c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b248.TMP

Filesize
48B

MD5
051341b75779f6af2f810c68ba70dbde

SHA1
3280d458abd1e6d716d02a4b7a85d19fabf0c7e8

SHA256
79e13eed41e5339a53eae51e3a86399e43c9b77672b5ba1df9606176fadefd93

SHA512
8e3894f681ef696b4187e1b37bcfaa51f0f3b70cf384d3d704b59af5487d93c3bfbf36653d37f534a4ac6a5dbaebd54746d8a5fc09a5411253ecddfee491d586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
f81cfed449650e558b2884b533f3af03

SHA1
1617778fbd564c6bfda32f7bcb089baee4c6cb1f

SHA256
ac72b6d9149bccfd6e8072ad019372fd690364fe212c3786b871d0ed9ab58c1f

SHA512
676783d76e891227e48ad0b6074e74a5ce71c0d2c8bbe72ba14b6d2b713098eab3ec580a6058129d5a5f2f688cbab3cfb70bc9391847b1c2f84c7f218b1e36ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
473f3572cfe128f7d8f5ebabb7dc7b8f

SHA1
2373e46bdf214835e634097a4e4abd583ca0376f

SHA256
132e96c41cc24b63d7ad83397c1482651c46006722c2376a927036c3e75de86d

SHA512
6588fa46b6f6d12a13b9360a477b55163c2764ef8fa64934c1f02915a20aad895703ac91eeaaea648f0b2cd42cc129c6e3d1f569857898434819f5c7dc0daf85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
e8d5b033c4118eedb13ab250d857ac9f

SHA1
eefa7d6f0a7ea84fe7e97f3397f05aaab9c9e340

SHA256
bd8eeac3668053fa1acbe1c5c0e8f7f00ea4735f7d6500382404e5bba2cb5daf

SHA512
bbb0e52585a434fabd904ca04bbdcfbad62e2e81f955487c6426f9855704d9a94f641ab64cda49e4c36a132811e2c628fcf71fde10dadc6c797ae1f3a4152c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
89KB

MD5
aebd6bc5a1a3ec514817c9a56dcba9cb

SHA1
7c2b7d9372ff205c903f35b2e93942c50bde9d97

SHA256
3e058c86f672fbda17052176a83e7111fa5e51db3e7146f25835aa585fe74fc0

SHA512
757d95ff63648005b8945bb99a882492bc65d47a24cc0ff0c2bf72f87c00a3bb517287de07e1f6c4d9d470a7dab6b81f00b4d3f6c765153a19e8147b50cd014c

Download Submit