hxxps://res[.]cisco[.]com/websafe/help?topic=RegEnvelope

Analysis

max time kernel
1200s
max time network
1150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://res.cisco.com/websafe/help?topic=RegEnvelope

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133367407086039427"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1728	chrome.exe
1728	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeCreatePagefilePrivilege	1348	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3080	1348	chrome.exe	82
PID 1348 wrote to memory of 3080	1348	chrome.exe	82
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 4440	1348	chrome.exe	84
PID 1348 wrote to memory of 2960	1348	chrome.exe	85
PID 1348 wrote to memory of 2960	1348	chrome.exe	85
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86
PID 1348 wrote to memory of 4192	1348	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://res.cisco.com/websafe/help?topic=RegEnvelope
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3b7e9758,0x7ffc3b7e9768,0x7ffc3b7e9778
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4760 --field-trial-handle=1904,i,4676296897044256775,11525610605783060595,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1728

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
796ac844bc397bc8546cf4cfebf8188c

SHA1
4a74ee735b4ae1c45fad5c50c0377383e5677ca8

SHA256
e43de90a6f0fcb1d87279459ce15c47c2c992b7724eadd47beabbd64392315ed

SHA512
7143efed61af6c4690e0eea53cdb49fc8fad5b265bab63b9f8a368300b5688ec121a03127d44c1baffbe4e88ddec9ffb3778cdf4a7f88f7bbe8bfad6907e6769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
81baf9e75911ad667d570357abf4b8e1

SHA1
05a7740d3f4fd7869124326371019e1dd81e12a6

SHA256
aa5c96aa311a66c824961172aef3881d7ece2a39314fb39888be25d73afa00a9

SHA512
a52cc5329c7b5533b8c7d288dc35f3a34112f3f660f3fb4b954b96537100b637fd826c8c69f29844de83e645833acc1aee6228a0030a26d8443e3769618cd63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
b31345ad73471af5b86e03b895d6769a

SHA1
8f8148e38f356041de0712e7d0135ad6734235a1

SHA256
c6290f71fd1f4a7ee69eaba8c25115b50288a3baf3b91f5268b56b8ea01d43aa

SHA512
85c1521ddd92435dc24b64332e807c1803c9fb6d257d395bbc746d86a03ac290c0e162e5978d836d68176e2f563e3a40ad8bec7ce4df3dfdb91e511d9d23ae06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59cfee2e8a024bedfa6ac02722dbef48

SHA1
97bb84d8e7e89d0b19fb85ff93588dd24341b35c

SHA256
ee40f2b9431e84104d1477d986565e97c5820812d682ee212f2ff162c3532959

SHA512
b6a67b65ba016fd2da0365ab3d3ba55dbc39d251e02465796cbc80fc741f67b8183a2a4682e016055b51f2ee5624754c8dbb6e0cc5cc905841beb097210c7c6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
939399c70abd1a14351739bf20699578

SHA1
93356ec6c29d78d984c47f5ffa2d6888928bb731

SHA256
ffb087f60cbfa87cff73448e29391a280fad660ccf12c2ba59b3a4fb021829ab

SHA512
a461e357d82c9017497e20d416f1789a2cc7a601c7b34f1a142c6617875817d0f529c26d0340970b84b9016a4e1d346745ac25578cb3f32aecf7efac138c8a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
6b5a0d54a62a915b99174f54d4eb486a

SHA1
dade19c189b9332bd2866a5ac3a5651085fb3585

SHA256
bfcd627b78a258b5a21218cdc644454e5abaaf61253c46119eae251c59737c88

SHA512
5248d4c03e7d98ff11421fe167788d1bd9fc14f2e3b930a777d4791aa2ab06d5ff4d4f213026a5562b147ce39c4513d455fb706bf7315b6f7a67af876ac04374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit