hxxps://filezilla-project[.]org[:]443/images/sponsors/postdownload_manual[.]png

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filezilla-project.org:443/images/sponsors/postdownload_manual.png

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133371035621653897"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3564	4228	chrome.exe	84
PID 4228 wrote to memory of 3564	4228	chrome.exe	84
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4372	4228	chrome.exe	86
PID 4228 wrote to memory of 4344	4228	chrome.exe	88
PID 4228 wrote to memory of 4344	4228	chrome.exe	88
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87
PID 4228 wrote to memory of 4968	4228	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://filezilla-project.org:443/images/sponsors/postdownload_manual.png
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ae29758,0x7ffa1ae29768,0x7ffa1ae29778
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 --field-trial-handle=1852,i,8184989244540028295,5135833474327509960,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
e0ab5639af9edd17cb72cafefce15900

SHA1
3fb67b7bb0ac77d1c60375f5adcca6833c78831b

SHA256
52870c97a192e3f072e63c53af65cc474e9813d9c1c1963c2abfaf6ee20aee74

SHA512
d4d7709618f3e5fd6a13d958f0d2f25b575f71cddd664d1db78f05c056ce693e4f1a2c99fbbf349823787c913637c96cba14b559c519cf82a7534a18d149d0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
61032ac458a1b46965a0ebb0efbff0e2

SHA1
cde32d434c575e81e167da6cd50d0c3f25d7cdf9

SHA256
011a8c67e1c9b79ed957674ea52264d1c593bfa896b32d323538d55854a83f87

SHA512
cb8d7365460938348aaae2711578a0e7273d786dae54fffbd5f4b30cc6754fbf16e9a8462b9a208d3a79b07096739ec1a66cfc4545db71c0ef68e29aa4cd4255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
c32b3b7473155127460130fc4668d074

SHA1
9940b1c0fc0547d1dd191ccbf9f611976be6027b

SHA256
a494ef82a80963c8728ae65ffadf1733da4421fb55a14520ee3ca1efcb6b8fea

SHA512
05ea7a97a244c62fb9e8ae5dd8a6f98f500b659aea0ec4da83faf92de32f2c9622854f3068bb3c5362673b5c84d073ac95aaabc72c843cf2cda1a76022bba976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b7e5eb83e631acc9e43c6f973be77956

SHA1
d79e390a6743a518aa05e8019202064419ee3bd2

SHA256
8526529d23075828aed76849434a19b16bf2875af8517d19e67b936ed2348aeb

SHA512
e465742f6b858ab02e76259f24c47bf3393b4cfca58876ac740e7f48233bfdbb11e9754c9ace57eb02dd3fe8680c0f8db19fdbc602c330e90ea53921434512b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
67002b0a4ad85e1f8c227b66353766b5

SHA1
a91ac3020ac2b179ea58f8190dc70cf420bf6713

SHA256
6cf83bdd5cadad07417cfa0444a716a6c3c5794cf3cf401b60f2bb0730b425f1

SHA512
72f03008629838d9d60b16598bac149b8315f668ff53977628ad0c4fbfbcb8beacc2c59b4f31f4b1bcf9a981a42296a0d59901a549de03e01b515cfa05086ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
c26f75766cca772ce44984c45c369dea

SHA1
41e5f449f59ea35b6db8be46d46e3f31202b48ee

SHA256
753d0746e8664a9fd4dcc94b3d298e91aeb3f3b847f785387be8b66635b12c93

SHA512
90c07f043cde406c7fdd48d06e1ff5b6a5b9bd98cc9601c16b3ebfc4caac5bebc2f5915e66ce56a2e9f9c851746ba5facc49bfa3aed3b70f4f60ca1db415b00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit