hxxps://r[.]clk31[.]com/s[.]ashx?ms=AZ31[:]207774_152201&e=kenneth%40someone[.]com&eId=1214288&c=h&url=https%3a%2f%2fonlinexperiences[.]com%2fscripts%2fServer[.]nxp%3fLASCmd%3dAI%3a4%3bF%3aAPIUTILS!51004%26PageID%3dC84A1A3D-7D5D-4153-A50E-026ACA335009

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r.clk31.com/s.ashx?ms=AZ31:207774_152201&e=kenneth%40someone.com&eId=1214288&c=h&url=https%3a%2f%2fonlinexperiences.com%2fscripts%2fServer.nxp%3fLASCmd%3dAI%3a4%3bF%3aAPIUTILS!51004%26PageID%3dC84A1A3D-7D5D-4153-A50E-026ACA335009

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133356226472401007"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3884	chrome.exe
3884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2828	3168	chrome.exe	74
PID 3168 wrote to memory of 2828	3168	chrome.exe	74
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 1544	3168	chrome.exe	83
PID 3168 wrote to memory of 4824	3168	chrome.exe	84
PID 3168 wrote to memory of 4824	3168	chrome.exe	84
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85
PID 3168 wrote to memory of 4908	3168	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r.clk31.com/s.ashx?ms=AZ31:207774_152201&e=kenneth%40someone.com&eId=1214288&c=h&url=https%3a%2f%2fonlinexperiences.com%2fscripts%2fServer.nxp%3fLASCmd%3dAI%3a4%3bF%3aAPIUTILS!51004%26PageID%3dC84A1A3D-7D5D-4153-A50E-026ACA335009
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc10039758,0x7ffc10039768,0x7ffc10039778
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:2
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4984 --field-trial-handle=1896,i,7517925394466293048,13899264661703516562,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
2daf93242bb7686bc57755e11443ad01

SHA1
b6feb84b042b381e068b4b87ca8182f570d13027

SHA256
01ed84ec79cece1487360b32f904383cc18a58da0e96b8d32b22225fddea7029

SHA512
e7f5ef80bd889bfbeca08fb09ff6cca7ba207e6c8d35cedaf1128774909ef7ce340c41974f89b146945d9e356ee4cbc2bab11f8ced2d7fe16354f82c6b1642a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b4de48bec4dc73dfda838b2a1f28596d

SHA1
1607526c5738d2424dafa74f89986156fced3c42

SHA256
1acddd966cafbe76c1146c9d22774df2695a4873346a62ec99989a415addeab9

SHA512
b03a1ed9f97191149e81cae06f2428ab065ac9da452df5a96a5c62cc81a1d8dd419c2fc19aac89ff95d7091cba64ac348bfe5c30759de4d1af85744b168ad1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
ef5ab11c990a2598123c885912ea0063

SHA1
cfad38348d15979f0bea317f964b94b85265635a

SHA256
93ca80c7295456a7f9859b8421fbff291df28e87d7985f059177e9676ea9f70b

SHA512
b7af95bf574064aeae09b00745bbd55021804bd6953bbcd89268faba2e3bb359620fa804c7b085573d60f36cd8ecbf4c17f64bfeb87ba095e8594d9f78078216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b02275bb54076c68c0298650a71a9c0b

SHA1
369e2add852409a512a360ef66d46fd7a59c4650

SHA256
8124c40644a9fe85f32e277af4a2fbed1e1d82d65c967d88983e4d78d9ae5483

SHA512
bb47ad5cae43fe1133b84df5c3237676a351956f3b95a603e4d11487b9ba6b5f7b5483da4e313b702f2eb5f42aab9888130062038f90fc350bca94e7f95f8b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
846556edf4cb1a9fdfbf59dac0bb707d

SHA1
a5eb35a0f0cd3454d990b3b5d79ce1bd84635cde

SHA256
f8e99b49c46838cea249d6589d882b3d9c10715d92905957f6d4f2389aecf35d

SHA512
0e09869d95c3cf8cf15ebcef86fbabb6badbcdd217aa6f65d16032313b4d300947033da4ba5903330cd480eab3952b98780c2f17b7d07f549a75130322b7da18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit