hxxps://r[.]clk31[.]com/s[.]ashx?ms=AZ31[:]207774_152201&e=kenneth[.]delatorre%40ti[.]com&eId=1214288&c=t&url=hxxps://onlinexperiences=2Ecom/scripts/Server[.]nxp?LASCmd=AI[:]4;F[:]APIUTILS!51004&PageID=C84A1A3D-7D5D-4153-A50E-026ACA335009=0A=0A=0AView

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r.clk31.com/s.ashx?ms=AZ31:207774_152201&e=kenneth.delatorre%40ti.com&eId=1214288&c=t&url=https://onlinexperiences=2Ecom/scripts/Server.nxp?LASCmd=AI:4;F:APIUTILS!51004&PageID=C84A1A3D-7D5D-4153-A50E-026ACA335009=0A=0A=0AView

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133356225630815188"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1852	4468	chrome.exe	59
PID 4468 wrote to memory of 1852	4468	chrome.exe	59
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2456	4468	chrome.exe	82
PID 4468 wrote to memory of 2508	4468	chrome.exe	84
PID 4468 wrote to memory of 2508	4468	chrome.exe	84
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83
PID 4468 wrote to memory of 4916	4468	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://r.clk31.com/s.ashx?ms=AZ31:207774_152201&e=kenneth.delatorre%40ti.com&eId=1214288&c=t&url=https://onlinexperiences=2Ecom/scripts/Server.nxp?LASCmd=AI:4;F:APIUTILS!51004&PageID=C84A1A3D-7D5D-4153-A50E-026ACA335009=0A=0A=0AView
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff929419758,0x7ff929419768,0x7ff929419778
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1884,i,6178047594179907312,9571988448086865801,131072 /prefetch:8
  2⤵
  PID:4924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
893B

MD5
18a5c3252e54047ac1c496eab16d7159

SHA1
f531abac8872b6f3d684823ef38b39f1349c94bf

SHA256
c182ab2687e25c746aed3ee04c1a64359ffd7c3c19f789089f917eb3a247fefd

SHA512
c0705ef004ace1f6582744e8cb28ce125fce4adbd025630bcd035af6d125bf6a140537aca7d01ca5bb6e309eef06c57d00b7402f6ab3ebbefe83611f95e225a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b206c666edce0e83f1cb02f0eb1a5c25

SHA1
f4910e0313ce9c888c5075ea628ebbb15a5c1036

SHA256
97d1ba0c6627afbfd8127985aabf4d620d20c712e23fb249885f48fe07b62f9f

SHA512
6fbe1198e363af2359972256c538b1c048ed540c06b1af9c4bd9e1b6c690710600e1d1111b5246222015ee539b1b630e98fa9c76949e5481d9e69149e918df43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c41f648926fe0c040583f7932b76d17

SHA1
1ab59d60af112eccfbdf94bc854ce7154a56233a

SHA256
ac8e6c78a04aa09bd250528105c4ef7b563306a9c71a1203d428120c3bf2d932

SHA512
8485724b5e15fa0e9b1fc36e8d37820cd22dfae529a0fbd917eda1f1855fa7c774b089b3b48f12e26e187ad6cdeff7185b4d144001deaf16efc5e2e4a9229029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
1511dbda6f0b1654086726a3e013a1cc

SHA1
933218787b5a7536ddbaa33ddc44c4164a0130cb

SHA256
0a57cbb1d75175e856656e401f2589f6d1ae32728f23188a11b65ca27061bb3c

SHA512
c6a1b41700ad1f83b30e632803e96ca8fe355a54ebff69ceedf98f1a38e058cabc2e770a741fedd39fb7e0a973960865da6d7d3f1e3fffada791899b8fa6484b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit