hxxps://www[.]ipqualityscore[.]com/tor-ip-address-check/lookup/185[.]220[.]100[.]252

Analysis

max time kernel
151s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-03-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ipqualityscore.com/tor-ip-address-check/lookup/185.220.100.252

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558423159483541"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3852399462-405385529-394778097-1000\{DD97529C-F1DB-4DD4-92D4-77BE4C916D52}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4688	3320	chrome.exe	80
PID 3320 wrote to memory of 4688	3320	chrome.exe	80
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 408	3320	chrome.exe	82
PID 3320 wrote to memory of 1048	3320	chrome.exe	83
PID 3320 wrote to memory of 1048	3320	chrome.exe	83
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84
PID 3320 wrote to memory of 4700	3320	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.ipqualityscore.com/tor-ip-address-check/lookup/185.220.100.252
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4ffb9758,0x7ffb4ffb9768,0x7ffb4ffb9778
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:2
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5076 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2700 --field-trial-handle=1828,i,9353838446369379892,17816125897418081260,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
71b0c6ca564ec058a686a66522fefedc

SHA1
77445ccd49d57cfba119410ac48bdd646f2cc558

SHA256
e064be3d0fe7067bee20589cc3facc111b975e46f5e2b55fb72bd2930546b7e7

SHA512
337616a222bef05b00177aa9641a033da384de986ddd9fde3db12e6a3d362b500a2bc13802e262f68ece18a59dec2d9a4bf3bde17b82e845d7104e57e133e171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a2b40b8ce9d2d9235f76dd40d4c18451

SHA1
567ec77214e1838721891e6cd06cef1523068012

SHA256
34dc4c8d7a22bc036df4fc887c56bb1f2b3688055f1efcbadaf9031c38818a31

SHA512
58cfb0db923ed537f7199314e7b9029ca3528b848ea6f36a151678648c2e0bda0e228744877a2bb38b4722b415d4572ca8a1ea7b359dff71408adb352d62da06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d331e2eb0b938de6d7cb6f72f76476d

SHA1
99a196b338009e8607a018670553e5ecaa89ccc5

SHA256
35b9fc3f1f8fcc74c92a79fade60be6960c4a0216c9643be07998c87e029dc81

SHA512
7192bf4a350aeabd35279785c582ca71d9b620388890734dc46a9968b8fbd650d979e575ef4b3b1727b9a23c6ab5a8c8eb4d0a4254c5a93261367537b4751a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d2d04d9e1306f2a932da871d476fe9e4

SHA1
c2858e99133f0ec853433c26ff6af1f07aa180f0

SHA256
219bfcda245d28e865685adf4eb6e1af085c4f87d634f067c5f6c39e0937a9f4

SHA512
0d0e223ab3d1b1e9a8f5b4534e3ce13d36c2751e7516e31e24d0bc75b9fef6cb905c0a8115bbde8f8bc0ddbc0494632bb98ce7ddf806efa12b37cc347d075ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
08a9d5fd99aa529088fdb6171200f121

SHA1
ee1f86c80d0426486113df951a8c7ec47ea4e8c0

SHA256
f7f2f4c676866c989dad82d4b77c0a6d5d3d7e176b1399617f99040cea2b9889

SHA512
9ed2f8ef01a7855f83b2d83d468e67f8781f3b1756daa0aead76fd9b196b4ae26ff0b88784d60436a69f859d3b2519b02f475afd19e95de04a87ff83bcff9a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
902e1504d1e4d0620a04a7d6716e8fbc

SHA1
16497e69dd48df1a0ac17841c3c6048528db48e4

SHA256
1afc7d77fab6ca1cc1c717f68a7f154a5d3585aacb8b968a0eb20d4c5208a017

SHA512
0dcc8124e0c21044049156dec735e89a794ecb6e24a9ed16c58a80e04f2b8aac86ed15b42a919b49fe9105f02bcc0a13e320f7f521c1c63d88a8043bfb97b7d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit