hxxps://tn3270[.]myabilitynetwork[.]com/activex/ab3270[.]application?sesHost=stream[.]ses[.]visionshareinc[.]com&sesPort=443&sesConnectionId=connection-629&connectTimeout=60&readTimeout=30&model=IBM-3278-4-E&authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhKaWl0TzFheHpmN3dTa0hfel9LTUF5MDF4USJ9[.]eyJpc3MiOiJBYmlsaXR5TmV0d29yayIsImF1ZCI6Imh0dHA6Ly9hYmlsaXR5bmV0d29yay5jb20iLCJleHAiOjE3MTg5MDI0ODYsIm5iZiI6MTcxODkwMTg4NiwiQ3JtQWNjb3VudE51bWJlciI6IjE1OTQxIiwiQ29ycmVsYXRpb25JZCI6IjRiODU2MTRiLTcxNzUtNDA4NS05NjY4LTJjYjcyNmVlOTEyMCIsImxhdW5jaFR5cGUiOiIyIiwic3ViIjoic29rbGVuZy5uYXdhekBoc2MudXRhaC5lZHUiLCJVc2VySWQiOiI0MjJkNzk2Ni00NzFhLTQ1MTctOGQ1OC02OTI0MjkzYzI0YjEiLCJMb2dpblR5cGUiOiJEaXJlY3QifQ[.]I4t85J2lSh2bidk2SK_TfEVMfTsatBhJng3SnHsIeUzmwZAmaMcH6R4rVaDuV7sOsxcWZfiuK0YDRmewN4wZEcrUkGBilqyGIK4QTWX7YlbOWMNo5OuZdrSbX9DXOglWae4ejCniGM-xP8nmHffPLhvnskE2nlgznbxfxQ3U_A6Vh2hPVPW-18BWqV8hAbXQgbcPaOe9jjM-BElbihb4RICuErXHggIyul4bLmDp4Cay5u8_O7AO7fSDFbmfKLBQSny1GUtEkcvrmf3cr-BL5rmb0NeFgyYEocAtet2U2spfqAyCuauDMcll8J3NMjJ_SzzRxOXNIV5jbeNAbijawQ

Analysis

max time kernel
78s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tn3270.myabilitynetwork.com/activex/ab3270.application?sesHost=stream.ses.visionshareinc.com&sesPort=443&sesConnectionId=connection-629&connectTimeout=60&readTimeout=30&model=IBM-3278-4-E&authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhKaWl0TzFheHpmN3dTa0hfel9LTUF5MDF4USJ9.eyJpc3MiOiJBYmlsaXR5TmV0d29yayIsImF1ZCI6Imh0dHA6Ly9hYmlsaXR5bmV0d29yay5jb20iLCJleHAiOjE3MTg5MDI0ODYsIm5iZiI6MTcxODkwMTg4NiwiQ3JtQWNjb3VudE51bWJlciI6IjE1OTQxIiwiQ29ycmVsYXRpb25JZCI6IjRiODU2MTRiLTcxNzUtNDA4NS05NjY4LTJjYjcyNmVlOTEyMCIsImxhdW5jaFR5cGUiOiIyIiwic3ViIjoic29rbGVuZy5uYXdhekBoc2MudXRhaC5lZHUiLCJVc2VySWQiOiI0MjJkNzk2Ni00NzFhLTQ1MTctOGQ1OC02OTI0MjkzYzI0YjEiLCJMb2dpblR5cGUiOiJEaXJlY3QifQ.I4t85J2lSh2bidk2SK_TfEVMfTsatBhJng3SnHsIeUzmwZAmaMcH6R4rVaDuV7sOsxcWZfiuK0YDRmewN4wZEcrUkGBilqyGIK4QTWX7YlbOWMNo5OuZdrSbX9DXOglWae4ejCniGM-xP8nmHffPLhvnskE2nlgznbxfxQ3U_A6Vh2hPVPW-18BWqV8hAbXQgbcPaOe9jjM-BElbihb4RICuErXHggIyul4bLmDp4Cay5u8_O7AO7fSDFbmfKLBQSny1GUtEkcvrmf3cr-BL5rmb0NeFgyYEocAtet2U2spfqAyCuauDMcll8J3NMjJ_SzzRxOXNIV5jbeNAbijawQ

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1564	AB3270.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_7444098373be2509	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_7444098373be2509\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bba = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\abil..ivex_none_0005.0005_none_bd9871c14ab897d6	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\lock!04000000a49b570e1c060000200e00000000000000000000 = 30303030303631632c30316461633333343266313865313435	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_ab32..tion_aed61f843d907bdc\LastRunVersion = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2f4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_ab32..tion_37cb4a4445f31ed1_b3eb574f58ee5106\LastRunVersion = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2f4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\ab3270_none_0005.0005_none_867c1304e606ed6a\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_7444098373be2509\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ab32..tion_37cb4a4445f31e = 680074007400700073003a002f002f0074006e0033003200370030002e006d0079006100620069006c006900740079006e006500740077006f0072006b002e0063006f006d002f0061006300740069007600650078002f006100620033003200370030002e006100700070006c00690063006100740069006f006e0023004100420033003200370030002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d0035002e0035002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0033003700630062003400610034003400340035006600330031006500640031002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f004100420033003200370030002e006500780065002c002000560065007200730069006f006e003d0035002e0035002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0033003700630062003400610034003400340035006600330031006500640031002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ab32..tion_37cb4a4445f31e = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\SizeOfStronglyNamedComponent = 0b8e000000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\ab32..tion_37cb4a4445f31e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ab32..tion_37cb4a4445f31e = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2f4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_7444098373be2509	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\abil..ivex_none_0005.0005_none_bd9871c14ab897d6\ident = 4162696c697479544e33323730452e416374697665582c2056657273696f6e3d352e352e383837322e313630382c2043756c747572653d6e65757472616c2c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\ab3270_none_0005.0005_none_867c1304e606ed6a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_none_44909a904238c218\lock!02000000a49b570e1c060000200e00000000000000000000 = 30303030303631632c30316461633333343266313865313435	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_none_44909a904238c218\SizeOfStronglyNamedComponent = fd69000000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\DigestValue = ac7a6b00f5f847871ef6442f1cda20290d60ac386c552f6194ff1912e77809b3	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\implication!ab32..tion_37cb4a4445f31ed1_0005.0005_74440983 = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_7444098373be2509\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bba	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\HasRunBefore = 01	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_none_44909a904238c218	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ab32..tion_37cb4a4445f31e = 680074007400700073003a002f002f0074006e0033003200370030002e006d0079006100620069006c006900740079006e006500740077006f0072006b002e0063006f006d002f0061006300740069007600650078002f006100620033003200370030002e006100700070006c00690063006100740069006f006e003f0073006500730048006f00730074003d00730074007200650061006d002e007300650073002e0076006900730069006f006e007300680061007200650069006e0063002e0063006f006d00260073006500730050006f00720074003d00340034003300260073006500730043006f006e006e0065006300740069006f006e00490064003d0063006f006e006e0065006300740069006f006e002d00360032003900260063006f006e006e00650063007400540069006d0065006f00750074003d003600300026007200650061006400540069006d0065006f00750074003d003300300026006d006f00640065006c003d00490042004d002d0033003200370038002d0034002d0045002600610075007400680054006f006b0065006e003d00650079004a00300065005800410069004f0069004a004b0056003100510069004c0043004a00680062004700630069004f0069004a00530055007a00490031004e0069004900730049006e0067003100640043004900360049006d0068004b00610057006c00300054007a00460068006500480070006d004e00330064005400610030006800660065006c0039004c0054005500460035004d00440046003400550053004a0039002e00650079004a007000630033004d0069004f0069004a00420059006d006c007300610058005200350054006d00560030006400320039007900610079004900730049006d00460031005a0043004900360049006d006800300064004800410036004c0079003900680059006d006c007300610058005200350062006d005600300064003200390079006100790035006a0062003200300069004c0043004a006c0065004800410069004f006a00450033004d005400670035004d004400490030004f0044005900730049006d00350069005a006900490036004d005400630078004f0044006b0077004d005400670034004e00690077006900510033004a007400510057004e006a0062003300560075006400450035003100620057004a006c00630069004900360049006a00450031004f005400510078004900690077006900510032003900790063006d005600730059005800520070006200320035004a005a0043004900360049006a00520069004f004400550032004d005400520069004c005400630078004e007a00550074004e004400410034004e005300300035004e006a00590034004c0054004a006a0059006a00630079004e006d0056006c004f005400450079004d0043004900730049006d00780068006400570035006a00610046005200350063004700550069004f006900490079004900690077006900630033005600690049006a006f006900630032003900720062004700560075005a00790035007500590058006400680065006b0042006f00630032004d00750064005800520068006100430035006c005a004800550069004c0043004a005600630032005600790053005700510069004f006900490030004d006a004a006b004e007a006b0032004e006900300030004e007a00460068004c005400510031004d005400630074004f004700510031004f004300300032004f005400490030004d006a006b007a0059007a004900300059006a00450069004c0043004a004d00620032006400700062006c005200350063004700550069004f0069004a004500610058004a006c005900330051006900660051002e00490034007400380035004a0032006c005300680032006200690064006b00320053004b005f0054006600450056004d0066005400730061007400420068004a006e006700330053006e00480073004900650055007a006d0077005a0041006d0061004d0063004800360052003400720056006100440075005600370073004f0073007800630057005a006600690075004b0030005900440052006d00650077004e00340077005a0045006300720055006b004700420069006c0071007900470049004b0034005100540057005800370059006c0062004f0057004d004e006f0035004f0075005a00640072005300620058003900440058004f0067006c00570061006500340065006a0043006e00690047004d002d007800500038006e006d0048006600660050004c00680076006e0073006b00450032006e006c0067007a006e0062007800660078005100330055005f0041003600560068003200680050005600500057002d00310038004200570071005600380068004100620058005100670062006300500061004f00650039006a006a004d002d00420045006c006200690068006200340052004900430075004500720058004800670067004900790075006c00340062004c006d004400700034004300610079003500750038005f004f00370041004f003700660053004400460062006d0066004b004c004200510053006e007900310047005500740045006b006300760072006d0066003300630072002d0042004c00350072006d00620030004e006500460067007900590045006f0063004100740065007400320055003200730070006600710041007900430075006100750044004d0063006c006c0038004a0033004e004d006a004a005f0053007a007a00520078004f0058004e004900560035006a00620065004e004100620069006a006100770051000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\lock!08000000a49b570e1c060000200e00000000000000000000 = 30303030303631632c30316461633333343266313865313435	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\identity = 4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\ab3270_none_0005.0005_none_867c1304e606ed6a\Files\AB3 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\lock!07000000cf99570ecc1300009c110000000000000000000052fde = 30303030313363632c30316461633333343239363831383739	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "BXNOR224DWRBG58VP5PXW8P0"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\lock!010000002399570ecc1300009c1100000000000000000000 = 30303030313363632c30316461633333343239363831383739	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\SizeOfPrivateComponentsInDeployment = 65a2050000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\abil..ivex_none_0005.0005_none_bd9871c14ab897d6\Files = 01	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "432749"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\lock!09000000b39b570e1c060000200e00000000000000000000e9e03 = 30303030303631632c30316461633333343266313865313435	AB3270.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_ab32..tion_37cb4a4445f31ed1_ae091519be9cb227	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ab32..tion_37cb4a4445f31e = 4142333237302e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bba = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	AB3270.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\identity = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2f4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\appid = 68747470733a2f2f746e333237302e6d796162696c6974796e6574776f726b2e636f6d2f616374697665782f6162333237302e6170706c69636174696f6e234142333237302e6170706c69636174696f6e2c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2f4142333237302e6578652c2056657273696f6e3d352e352e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d333763623461343434356633316564312c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be	AB3270.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_ab32..tion_aed61f843d907bdc	AB3270.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Deployment\BN9N27GN.X7X\1C77RKJ7.7VH\AB3270.exe:Zone.Identifier	dfsvc.exe
File created	C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\AB3270.exe\:Zone.Identifier:$DATA	dfsvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
564	msedge.exe
564	msedge.exe
636	identity_helper.exe
636	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	dfsvc.exe
Token: SeDebugPrivilege	1564	AB3270.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2912	564	msedge.exe	84
PID 564 wrote to memory of 2912	564	msedge.exe	84
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 1368	564	msedge.exe	85
PID 564 wrote to memory of 4792	564	msedge.exe	86
PID 564 wrote to memory of 4792	564	msedge.exe	86
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87
PID 564 wrote to memory of 4136	564	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tn3270.myabilitynetwork.com/activex/ab3270.application?sesHost=stream.ses.visionshareinc.com&sesPort=443&sesConnectionId=connection-629&connectTimeout=60&readTimeout=30&model=IBM-3278-4-E&authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhKaWl0TzFheHpmN3dTa0hfel9LTUF5MDF4USJ9.eyJpc3MiOiJBYmlsaXR5TmV0d29yayIsImF1ZCI6Imh0dHA6Ly9hYmlsaXR5bmV0d29yay5jb20iLCJleHAiOjE3MTg5MDI0ODYsIm5iZiI6MTcxODkwMTg4NiwiQ3JtQWNjb3VudE51bWJlciI6IjE1OTQxIiwiQ29ycmVsYXRpb25JZCI6IjRiODU2MTRiLTcxNzUtNDA4NS05NjY4LTJjYjcyNmVlOTEyMCIsImxhdW5jaFR5cGUiOiIyIiwic3ViIjoic29rbGVuZy5uYXdhekBoc2MudXRhaC5lZHUiLCJVc2VySWQiOiI0MjJkNzk2Ni00NzFhLTQ1MTctOGQ1OC02OTI0MjkzYzI0YjEiLCJMb2dpblR5cGUiOiJEaXJlY3QifQ.I4t85J2lSh2bidk2SK_TfEVMfTsatBhJng3SnHsIeUzmwZAmaMcH6R4rVaDuV7sOsxcWZfiuK0YDRmewN4wZEcrUkGBilqyGIK4QTWX7YlbOWMNo5OuZdrSbX9DXOglWae4ejCniGM-xP8nmHffPLhvnskE2nlgznbxfxQ3U_A6Vh2hPVPW-18BWqV8hAbXQgbcPaOe9jjM-BElbihb4RICuErXHggIyul4bLmDp4Cay5u8_O7AO7fSDFbmfKLBQSny1GUtEkcvrmf3cr-BL5rmb0NeFgyYEocAtet2U2spfqAyCuauDMcll8J3NMjJ_SzzRxOXNIV5jbeNAbijawQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffee9746f8,0x7fffee974708,0x7fffee974718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3904007548315292722,13668650539658941226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1508
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication https://tn3270.myabilitynetwork.com/activex/ab3270.application?sesHost=stream.ses.visionshareinc.com&sesPort=443&sesConnectionId=connection-629&connectTimeout=60&readTimeout=30&model=IBM-3278-4-E&authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImhKaWl0TzFheHpmN3dTa0hfel9LTUF5MDF4USJ9.eyJpc3MiOiJBYmlsaXR5TmV0d29yayIsImF1ZCI6Imh0dHA6Ly9hYmlsaXR5bmV0d29yay5jb20iLCJleHAiOjE3MTg5MDI0ODYsIm5iZiI6MTcxODkwMTg4NiwiQ3JtQWNjb3VudE51bWJlciI6IjE1OTQxIiwiQ29ycmVsYXRpb25JZCI6IjRiODU2MTRiLTcxNzUtNDA4NS05NjY4LTJjYjcyNmVlOTEyMCIsImxhdW5jaFR5cGUiOiIyIiwic3ViIjoic29rbGVuZy5uYXdhekBoc2MudXRhaC5lZHUiLCJVc2VySWQiOiI0MjJkNzk2Ni00NzFhLTQ1MTctOGQ1OC02OTI0MjkzYzI0YjEiLCJMb2dpblR5cGUiOiJEaXJlY3QifQ.I4t85J2lSh2bidk2SK_TfEVMfTsatBhJng3SnHsIeUzmwZAmaMcH6R4rVaDuV7sOsxcWZfiuK0YDRmewN4wZEcrUkGBilqyGIK4QTWX7YlbOWMNo5OuZdrSbX9DXOglWae4ejCniGM-xP8nmHffPLhvnskE2nlgznbxfxQ3U_A6Vh2hPVPW-18BWqV8hAbXQgbcPaOe9jjM-BElbihb4RICuErXHggIyul4bLmDp4Cay5u8_O7AO7fSDFbmfKLBQSny1GUtEkcvrmf3cr-BL5rmb0NeFgyYEocAtet2U2spfqAyCuauDMcll8J3NMjJ_SzzRxOXNIV5jbeNAbijawQ
  2⤵
  PID:3344
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
  - - C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\AB3270.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\AB3270.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\ab32..tion_37cb4a4445f31ed1_0005.0005_b81175bcbe1585be\AB3270.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b\DDE-icon.ico

Filesize
1KB

MD5
6f548589b67690bdcc9c7346526ef12e

SHA1
2e389bc43b6b1df71b4680a8643502e547063f79

SHA256
487ebcc2b1bcab90b6cb99566063a2f3dc85caebb7594780505b331115a08bd0

SHA512
fc332802fe20053d001222c4cc335943409073d03e72b4e39408e8fcc76290c4245a6f128190d9b149c8a9d452ec8d76a23149322dbcdba5b15226eed805ba0e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\manifests\ab32..tion_37cb4a4445f31ed1_0005.0005_none_44909a904238c218.cdf-ms

Filesize
14KB

MD5
b08e60c0f9446c937c9adbe10a86bb54

SHA1
2724be01e5c844c3b23aa29ba138b96b5ede714c

SHA256
8ab6e87fde29a953122182ccbc4a79dc49ca156adebb2488fb629103726f2c85

SHA512
62617210fc9bafe5a503d782ac28b756b7392e032a49ecf0e48361fbfaed06d08e3c4fe878f27a0d3a8e6cf1f8c7c73558dfde84b91cfb268a324ad108f0ee6a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\G5T9CR58.WRG\K8YT8M6P.GJE\manifests\ab3270.exe_37cb4a4445f31ed1_0005.0005_none_0042527bbae5203b.cdf-ms

Filesize
18KB

MD5
f590f630246dcb352908138ae0f11b2e

SHA1
16ca7e27ddfbe0d6624a530a41fec2606df79ae4

SHA256
bb75df82bd0a07250c3d6c66828fc3527a19819c1cadd021e2c4e8bb654ef5e9

SHA512
39aa4c4139be5e230d9a76741f019797b5fd4610cfd43179b722fb9ac32eaaadd1cf665a1aa242af9c5cff9c904d6921e0e4e7a5cdb05ef46d490a6a5c824e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3ea23ea0ad5de0c63ca675807596684

SHA1
3e86090d5339f886fe96f3bb68d4db698882a72f

SHA256
c1b9193e4f81539937fd762c3437bc4ddc57a6a54af83b378bea1dd3767f05f3

SHA512
1e26c047797d4f28d6507e288f93751732a0b22667016a740b4a0080605e4e698c8c3b6893414388da2c0e6674538d1364b3d42760d39316c8f72aa01eeb30ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32706902365de3e85ef50d8f1b1852d2

SHA1
3ce47bd9f429ff4a13e9217bf7e48ffb86d8bb64

SHA256
ec59bf0c2d8b2313ef01bd279c3ba00924ec16d41566b1e02ea5e93e5617bc78

SHA512
f31f4560f6f9e07068931a47c2eb31621ed48b0eb81f1e698d1d8fabb48eb84dc35150082751f1a5b389badb67cfbc09f0310694a5ddb0012b2103fa1e0a5da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c23f1a87baeeeb397509ed57a81db261

SHA1
6902a90a86f0d11db33409d3acce0f63a9c346bb

SHA256
ff91bba3ff92daa4955c728a67bc9d2d1589a9586bfc67fa2db9d013a1118e8e

SHA512
9a72c91b9d4d23c3998b5d9b140e9c3ad43b62f95bcbcead9b3a80388f7191e4957bc18ba1f7329b3c1dd941c7c2e15b76fd0b317487b50a6173cc78566d9e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
454cb67026d3c8b7b41dcfa5f8037a84

SHA1
03ebb6986bd4f925ad30137ecc276da5c60e0e89

SHA256
b0b710086bb5ddf9b1e563dbc031c05f85df9aa8e68f63be3d774fbf56559d2a

SHA512
4ed90d1c8bbdae405865874715e728ef574c20b014a65859654521c3afab907036bfa028379e58ac3cf9321c1fee6392ced7929a089c48dd51354057c019773d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BN9N27GN.X7X\1C77RKJ7.7VH\AB3270.exe

Filesize
16KB

MD5
46d9c68da00e60a550afbee2b6a50f9f

SHA1
3e832b317153c64e1bb88597e362d626155d3b45

SHA256
ce4a5cbaf7bf6ed3182fe4e72b6edf936ca885cc2c689d150e561993dd292e3e

SHA512
d8250b3249dd9372e394668213b4e185a2429947b1d7d15bc78c81db41d8da4e1bc435de039a641c157566168c33db963ec80d3f35e8a5eb8639f993534b68d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BN9N27GN.X7X\1C77RKJ7.7VH\AB3270.exe.config

Filesize
206B

MD5
c62c0f34809c9b000d0d11935e7d3b0d

SHA1
be7d83d6fc40b292593c7324368c8fe84e53a4cb

SHA256
68aad2cd56e70f0209e16c26fc5d75d695e1c88081dd8be08f7f11cf9f13caba

SHA512
a307254fb5a5314d5973518afcb38caa4b451edf0fa868638cf510b5bb4a42595c8288f0f956f696cbae93e6656db35aeb695e4b51ae5067f01fb49e8f2f2925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BN9N27GN.X7X\1C77RKJ7.7VH\AB3270.exe.manifest

Filesize
15KB

MD5
e6ced87ae5356dd93140f45b41466729

SHA1
fabea64c11f8dd8a555013c72b3b4799c3a63e95

SHA256
ac7a6b00f5f847871ef6442f1cda20290d60ac386c552f6194ff1912e77809b3

SHA512
3bb27de258c20c711163364078049a7da3419a2c15bd5f4be945930ae130f61bd3118196b65a702957b71df890e801f111a52b79c4b3e4c3571a1e1d1208e5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BN9N27GN.X7X\1C77RKJ7.7VH\AbilityTN3270E.ActiveX.dll

Filesize
334KB

MD5
bd3619beadbe2af3116eb3381ef24e8b

SHA1
843ad6a0bd1e7e53c409295ed750a69f3df17fca

SHA256
5ec5aa0032775515e53a7c4e729ad6417298cd50ece66f433dc6cb9ba9eaca3f

SHA512
699b792f94f32146c556efecdf2a2b03ced730d496e6df7df3c928efcabca883572f47d447502ac953096390b21601da7f6fc4d69543121daafa133add058009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\CM6BDD4X.3ZA\QWPME0H9.HHO.application

Filesize
11KB

MD5
4cb31c9d41f334846dfb0b693218fd23

SHA1
3fbd36b4c8c1594163540dd265ec72100f51cfa0

SHA256
1dd4fb6d373eb3c42bf38a99ac5bd9b71d6c166efcbd1dcad7dd9547df50a821

SHA512
9946edb7bb0ab13e7cc50f35e777ebfb5b7627c5dcb5b000dac471f84c739bffd7c66280f6422a5eb61c2f8e424a2b5b3967ec114fc45c7a2380a8f358af835d

Download Submit
memory/1564-228-0x0000021E83190000-0x0000021E83198000-memory.dmp

Filesize
32KB

Download
memory/5068-88-0x000002507B2D0000-0x000002507B2D8000-memory.dmp

Filesize
32KB

Download
memory/5068-81-0x000002507BD10000-0x000002507BD6A000-memory.dmp

Filesize
360KB

Download
memory/5068-57-0x000002507E0B0000-0x000002507E100000-memory.dmp

Filesize
320KB

Download
memory/5068-54-0x000002507AE10000-0x000002507AF96000-memory.dmp

Filesize
1.5MB

Download
memory/5068-53-0x00000250607B0000-0x00000250607B8000-memory.dmp

Filesize
32KB

Download