039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7

Analysis

max time kernel
52s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lonelyscreen-win-installer.exe
Size

538KB
MD5

64da00119c76c6e1d75f059ffc4a772d
SHA1

ebaebff7db60430cad107d4efc45654d43f98075
SHA256

039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7
SHA512

d13544aa2ee6060510c0f906e3f174a4ec40878f36193a99d6c527b62fa6a379115e965e272069b0e3f0479df16e6899a096ede37fb0832262c72d3d24f824f3
SSDEEP

12288:AS3yBV888888888888W88888888888pKfXGU69eTutORzK/AA9i6Zub02O9HtFbl:/3yLKfXG6wZ/D9kqtZaTq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
52	4544	msiexec.exe
54	4544	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
1864	lonelyscreen-win-installer.tmp
5032	setup.exe
1544	setup.tmp
1544	mDNSResponder.exe
2532	Process not Found
3168	lonelyscreen.exe

Loads dropped DLL 10 IoCs

pid	Process
1864	lonelyscreen-win-installer.tmp
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
1872	MsiExec.exe
1872	MsiExec.exe
3484	MsiExec.exe
1712	MsiExec.exe
4452	MsiExec.exe
3168	lonelyscreen.exe

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LonelyScreen = "C:\\Program Files (x86)\\LonelyScreen\\lonelyscreen.exe /start_context sys_auto"	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-208FL.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-I9HNO.tmp	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe	setup.tmp
File created	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\LonelyScreen\is-928RJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB93.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6CF.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bc89.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC10E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC286.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4FA.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File created	C:\Windows\Installer\e57bc8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bc89.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC46C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager\ = "DNSSDEventManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord\ = "DNSSDRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager.1\ = "DNSSDEventManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord\CLSID\ = "{AFEE063C-05BA-4248-A26E-168477F49734}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8\Bonjour	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Bonjour\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1544	setup.tmp
1544	setup.tmp
4556	msedge.exe
4556	msedge.exe
1540	msedge.exe
1540	msedge.exe
312	identity_helper.exe
312	identity_helper.exe
1864	lonelyscreen-win-installer.tmp
1864	lonelyscreen-win-installer.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4764	msiexec.exe
Token: SeSecurityPrivilege	4544	msiexec.exe
Token: SeCreateTokenPrivilege	4764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4764	msiexec.exe
Token: SeLockMemoryPrivilege	4764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4764	msiexec.exe
Token: SeMachineAccountPrivilege	4764	msiexec.exe
Token: SeTcbPrivilege	4764	msiexec.exe
Token: SeSecurityPrivilege	4764	msiexec.exe
Token: SeTakeOwnershipPrivilege	4764	msiexec.exe
Token: SeLoadDriverPrivilege	4764	msiexec.exe
Token: SeSystemProfilePrivilege	4764	msiexec.exe
Token: SeSystemtimePrivilege	4764	msiexec.exe
Token: SeProfSingleProcessPrivilege	4764	msiexec.exe
Token: SeIncBasePriorityPrivilege	4764	msiexec.exe
Token: SeCreatePagefilePrivilege	4764	msiexec.exe
Token: SeCreatePermanentPrivilege	4764	msiexec.exe
Token: SeBackupPrivilege	4764	msiexec.exe
Token: SeRestorePrivilege	4764	msiexec.exe
Token: SeShutdownPrivilege	4764	msiexec.exe
Token: SeDebugPrivilege	4764	msiexec.exe
Token: SeAuditPrivilege	4764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4764	msiexec.exe
Token: SeChangeNotifyPrivilege	4764	msiexec.exe
Token: SeRemoteShutdownPrivilege	4764	msiexec.exe
Token: SeUndockPrivilege	4764	msiexec.exe
Token: SeSyncAgentPrivilege	4764	msiexec.exe
Token: SeEnableDelegationPrivilege	4764	msiexec.exe
Token: SeManageVolumePrivilege	4764	msiexec.exe
Token: SeImpersonatePrivilege	4764	msiexec.exe
Token: SeCreateGlobalPrivilege	4764	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1544	setup.tmp
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
3168	lonelyscreen.exe
1864	lonelyscreen-win-installer.tmp
3168	lonelyscreen.exe
3168	lonelyscreen.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
1540	msedge.exe
3168	lonelyscreen.exe
3168	lonelyscreen.exe
3168	lonelyscreen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3168	lonelyscreen.exe
3168	lonelyscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1864	2060	lonelyscreen-win-installer.exe	85
PID 2060 wrote to memory of 1864	2060	lonelyscreen-win-installer.exe	85
PID 2060 wrote to memory of 1864	2060	lonelyscreen-win-installer.exe	85
PID 1864 wrote to memory of 5032	1864	lonelyscreen-win-installer.tmp	89
PID 1864 wrote to memory of 5032	1864	lonelyscreen-win-installer.tmp	89
PID 1864 wrote to memory of 5032	1864	lonelyscreen-win-installer.tmp	89
PID 5032 wrote to memory of 1544	5032	setup.exe	90
PID 5032 wrote to memory of 1544	5032	setup.exe	90
PID 5032 wrote to memory of 1544	5032	setup.exe	90
PID 1544 wrote to memory of 1540	1544	setup.tmp	92
PID 1544 wrote to memory of 1540	1544	setup.tmp	92
PID 1540 wrote to memory of 1560	1540	msedge.exe	93
PID 1540 wrote to memory of 1560	1540	msedge.exe	93
PID 1864 wrote to memory of 4764	1864	lonelyscreen-win-installer.tmp	94
PID 1864 wrote to memory of 4764	1864	lonelyscreen-win-installer.tmp	94
PID 1864 wrote to memory of 4764	1864	lonelyscreen-win-installer.tmp	94
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 5112	1540	msedge.exe	97
PID 1540 wrote to memory of 4556	1540	msedge.exe	96
PID 1540 wrote to memory of 4556	1540	msedge.exe	96
PID 1540 wrote to memory of 1084	1540	msedge.exe	98
PID 1540 wrote to memory of 1084	1540	msedge.exe	98
PID 1540 wrote to memory of 1084	1540	msedge.exe	98
PID 1540 wrote to memory of 1084	1540	msedge.exe	98
PID 1540 wrote to memory of 1084	1540	msedge.exe	98
PID 1540 wrote to memory of 1084	1540	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe
"C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\is-5SKC0.tmp\lonelyscreen-win-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5SKC0.tmp\lonelyscreen-win-installer.tmp" /SL5="$800DC,164153,114176,C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\is-66AK4.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-66AK4.tmp\setup.tmp" /SL5="$7011A,7573378,114176,C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.lonelyscreen.com/installed.php?version=1.2.16
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc518a46f8,0x7ffc518a4708,0x7ffc518a4718
        6⤵
        
        PID:1560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        6⤵
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
        6⤵
        
        PID:1084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        
        PID:2988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        6⤵
        
        PID:316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        6⤵
        
        PID:3120
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
        6⤵
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3497052566636871282,8570776864798052180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:312
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec.exe" /qn /i C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\bonjour.msi
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe
    "C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4544
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7F73F81BEB4514DAFBF3690239A0022A
  2⤵
  - Loads dropped DLL
  PID:4884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8FD05E60669A9FD325828D0F1333B70
  2⤵
  - Loads dropped DLL
  PID:1872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B3BBD0B68A9FD1796A0CB97FF17B3051 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3484
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:1712
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bc8c.rbs

Filesize
126KB

MD5
c29580be33f565dc7753209416429559

SHA1
db1e9d13bc719808c6ec76e95f2bc3cca6818237

SHA256
08823a81edd130e2d4935b1038b399afebec797fa4d2c5304d43cadeccea49b7

SHA512
2620d927061459559c614fccd8f640f4e0a51e76666a931100a014dbea27beb703d6eb43e786391c1a4c09d7a2a55ae41d87625fde681133ddfeef5744e8f26b

Download Submit
C:\Program Files (x86)\Bonjour\mDNSResponder.exe

Filesize
381KB

MD5
db5bea73edaf19ac68b2c0fad0f92b1a

SHA1
74bb0197763e386036751bf30c5bbf4c389fa24e

SHA256
10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc

SHA512
63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\is-I9HNO.tmp

Filesize
1.1MB

MD5
cc8b164c85cc68a2e6e0d10e452ef68b

SHA1
fed79b50a5f03c0e33071ff849ea19dfdaf3c464

SHA256
20590034969e110c4fba1d065da8ac53dad79f5b8a9bd68780164207a170c749

SHA512
bee540ceb2b1de587872cdb963d2c754ac4ba0f3cac8026c3d7c2882aae0bfeb31babae927361b2ef5484ab2085b4a19914cc99a504aafd3f08c34f9f626699d

Download Submit
C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\unins000.dat

Filesize
6KB

MD5
4dff76efc3bbd0ddb4b5906a6fce08a2

SHA1
8e54dcd305b773344a7bb1ce971ca38ed7f1764c

SHA256
fa9753015bd6e24c0082e0686312c4939fe6fa9d3894fe1f348a6fc048272686

SHA512
81fe82aec3aa718ff9550f348b2b434c586179e155f863bcc172630a537da55cf4226c29b661c52be722046ecb6a931b6ae6c2f75016af357ccddd879e48c0cc

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Java\jre1.8.0_66\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7BB7B950B665E30B1761302CF423246B

Filesize
503B

MD5
8e2fde94d67327792a8c377b7947b3c9

SHA1
ca02be6102a4ca78ecbf4213a002b5f819c9658a

SHA256
1cb2ad6fb3e59c812aae261c205b051bf646fde625025fe24e77729104ed4bd0

SHA512
19953551781ec1bace9b778bc228bfde6f0b3c348464605b1173d2be422e15d58208ce572f58ca19f516957aa500567e2d104fa18841f0914d407435caedd2e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6d87ed35e2eb36a172f21dff7e398767

SHA1
de2c8e705c6264ddb5e0b235406aaef4381593cd

SHA256
c99ca4d31ac40adb54e4760d038cf9f3c19129f6b5cc9794dbf82fa6fa1e3586

SHA512
2580be34dbf08ebe4e852e8a97be3709c2b51a6be5c8ff84e1282396c2696a5ec8491cb323402387277ff99b028657e61e26664974122e5f65445b7c7b0aa553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7BB7B950B665E30B1761302CF423246B

Filesize
548B

MD5
c506b5340a96713a63b60fb8bfe51e8e

SHA1
31e400b77ab044b023599a08cc0616bdaa1e17b3

SHA256
9fac1bcd4de345840443954f9598f980125e364e077f540461183e8de7efc102

SHA512
729cca0622129f3a8ceb9afc4d96d78564489c017126857560f74291506e310d99c350d691f52e8ee530ccd7facc8c82abf951cf1343a79b5bb207882c8bd3bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5204011f-7e20-4a9c-9824-860430b5d326.tmp

Filesize
11KB

MD5
dfa26df54bea3c5e9ee2043f2eead02e

SHA1
f9aa40b5d75a65b436e260c7519c7de28723e409

SHA256
256ada9dd8a71b9f47c90c50e2d5c481caa521fad407d83a0b67cfcc8527387e

SHA512
ac42c94deb7f8990b0459c9cf5a95852ccab46a7634c782eb816380493ae2bf8405f1ab23c79751f52c8ed812b168fbbc8ad5bad5a3fa352789bab39b016ae50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d686809520430031d6ecf2c8de5f735

SHA1
64e3932e857e1b34077e1b7793f40ad35abaf6b8

SHA256
c5f61a0a6d91e818e9ada3e527de4a5975767d6425823b33ea107cec0c99874b

SHA512
8a5adfc8d90f0752672879cf18f55be8e80e36e2a7bdf281ee3967f9953413dc31c33a0b52ada169c3f628896a28caba1769d8d33874903260ad6c8d5a925e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6a9e9f1c6f4ee24bb52a7a6dbb5f12a4

SHA1
f6f805526c739877dac7f6efb9805e9594843c27

SHA256
e47ba483396997cc1098535047d6739d82d9faf224219d02b3d745c6acc3ccae

SHA512
83085263cc570639862c88fabfe649601446cbd03b641c0bc84932251dd535237c730e5458798857350533f781849b80e1fc12c00f8c6822ad5f0bad5a18cbe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
908B

MD5
c3656e76a45a7844582e02182198f7d3

SHA1
ab8448e5df000b1b7a589f5289852a4d37ab6edd

SHA256
da2321094bf763db7ae7af2f0b18e20a1c44c3d5e937efc692fc3c52fba54bdc

SHA512
1a335a239bb876a3dd92a9de296ba88b607197d0e7cb3ebdbfd0e4c696f4223325db358f18bcb4211c333bdc7fb7017c0c4f1b3dc1a72a2e0e9bfad62d164b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d08047207169c7b8c98d496d5523ac5

SHA1
e22e380b9a5c53d2b92a580a7c43c763f70b1f09

SHA256
a4375e0b64cffc8040faf1b203538cb3ffd1d24ae445b2ec6f4bd58abf2fd3a7

SHA512
5b3a1e84cfa42142aa35167427af9d6cbfbe1ca5326caf4d808cfea3ad0c9c89abe35c8c4fe5037a692250eb9d615c5646e97922087ce5ac9da44391ec791b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
070156a3eea3d3421ddec2210606e9ef

SHA1
d049701a18afa97028ea4b93a5ff67c4b0b3dc7b

SHA256
119f28d252ae4075cbdc927eeab4a59c6580ad6fec526eb3e9a21e55ddbbc71c

SHA512
3390e1091967bee5a160373eb7bf915ba293ef96de569d0f8c93a868e888be4babb0e125d48ea3ef3b26f4487060ab4b9978a0253119265a684b94103f38f51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
46a89aa925978072e453340050a01245

SHA1
e04a0f12716fe73f7ff3dbeea18d619b4d4a6189

SHA256
77e0c542d1952c6ed006f64fcd4120b1744e124775830c4e4d607df656e92d9d

SHA512
5d1b76587e9169d9e0903a7863b64a65d32c54533bbce84580372d9bb35b622569ce764fa4bf0ef68f2cc84ee9078776436d388e8c8c9cfdc4df9d1057689283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5SKC0.tmp\lonelyscreen-win-installer.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5SKC0.tmp\lonelyscreen-win-installer.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-66AK4.tmp\setup.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-66AK4.tmp\setup.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\bonjour.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\isxdl.dll

Filesize
131KB

MD5
16881920cbe9ddb46c3ef29ee405a857

SHA1
0f76cffc2e57cf5c481a8015d203b96638d36ef5

SHA256
59abe5f46020cb56e1079df8dc1145b2033e4b1459ae3d92f637064a6b618bc1

SHA512
f07d1f4133a2ba2bda92fa6f55360fae73e44b97756ee3044f31af5f9e01cda34e7efbb1520c0b5aa2a496edc03ed4fefdc4ad419c1028b1ce6457b69aabeba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\setup.exe

Filesize
7.6MB

MD5
7a2f16b1053362d8e8edae5e320dd4d9

SHA1
8cda4387a93287f38d2b48fb109bd54a77bcdcf9

SHA256
d2c7d87fad0c0fa94a4e2acdca4524cda696f2fd0c53ea9ddbe927da839707fa

SHA512
2277ee7ac98560093a652019bf3a2fb18f02718580ef6711532498aaa17b87705266ed83093ffd4cfc73ec608a76359336a1780586679838633ac403bf683bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UQ88.tmp\setup.exe

Filesize
7.6MB

MD5
7a2f16b1053362d8e8edae5e320dd4d9

SHA1
8cda4387a93287f38d2b48fb109bd54a77bcdcf9

SHA256
d2c7d87fad0c0fa94a4e2acdca4524cda696f2fd0c53ea9ddbe927da839707fa

SHA512
2277ee7ac98560093a652019bf3a2fb18f02718580ef6711532498aaa17b87705266ed83093ffd4cfc73ec608a76359336a1780586679838633ac403bf683bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LFJC1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Windows\Installer\MSIC10E.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC10E.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC286.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC286.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC46C.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC46C.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC46C.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIC4FA.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSIC4FA.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSIC6CF.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSIC6CF.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSICB93.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSICB93.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSICB93.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\e57bc89.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
memory/1544-62-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1544-41-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1864-28-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1864-30-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1864-29-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1864-66-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1864-365-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1864-17-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1864-7-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1864-380-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2060-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2060-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2060-383-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5032-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download