hawkeye | hxxps://oxy[.]st/d/BNQh

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Nitama External.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	Nitama External.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	Nitama External.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	Nitama External.exe
1936	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Nitama External.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
185	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1632	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604488537468043"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1160	Nitama External.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
1160	Nitama External.exe
1160	Nitama External.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
3732	chrome.exe
3732	chrome.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe
4000	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1160	Nitama External.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1040	4380	chrome.exe	82
PID 4380 wrote to memory of 1040	4380	chrome.exe	82
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 2360	4380	chrome.exe	83
PID 4380 wrote to memory of 3344	4380	chrome.exe	84
PID 4380 wrote to memory of 3344	4380	chrome.exe	84
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85
PID 4380 wrote to memory of 3888	4380	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/BNQh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd17afab58,0x7ffd17afab68,0x7ffd17afab78
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:2
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4472 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4592 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5012 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4972 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5016 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=272 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Users\Admin\Downloads\Nitama External.exe
  "C:\Users\Admin\Downloads\Nitama External.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitama External.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nitama External.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdate.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3216 --field-trial-handle=1920,i,9926932082051380577,10299364458447942216,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4000

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery