039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7

Analysis

max time kernel
156s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

lonelyscreen-win-installer.exe
Size

538KB
MD5

64da00119c76c6e1d75f059ffc4a772d
SHA1

ebaebff7db60430cad107d4efc45654d43f98075
SHA256

039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7
SHA512

d13544aa2ee6060510c0f906e3f174a4ec40878f36193a99d6c527b62fa6a379115e965e272069b0e3f0479df16e6899a096ede37fb0832262c72d3d24f824f3
SSDEEP

12288:AS3yBV888888888888W88888888888pKfXGU69eTutORzK/AA9i6Zub02O9HtFbl:/3yLKfXG6wZ/D9kqtZaTq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Executes dropped EXE 6 IoCs

pid	Process
4880	lonelyscreen-win-installer.tmp
4704	setup.exe
1620	setup.tmp
5732	mDNSResponder.exe
2544	Process not Found
5912	lonelyscreen.exe

Loads dropped DLL 12 IoCs

pid	Process
4880	lonelyscreen-win-installer.tmp
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4836	MsiExec.exe
5652	MsiExec.exe
5704	MsiExec.exe
5912	lonelyscreen.exe
2516	Process not Found
1400	Process not Found

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LonelyScreen = "C:\\Program Files (x86)\\LonelyScreen\\lonelyscreen.exe /start_context sys_auto"	setup.tmp

Blocklisted process makes network request 3 IoCs

flow	pid	Process
45	3760	msiexec.exe
48	3760	msiexec.exe
50	3760	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-S11JN.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-BTMMB.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-CNN0V.tmp	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB0F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB675.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB20D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB24C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\e57ac62.msi	msiexec.exe
File created	C:\Windows\Installer\e57ac5d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ac5d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB376.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB17F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ = "_IDNSSDEvents"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ = "DNSSDEventManager Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ = "IDNSSDRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods\ = "19"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord\CurVer\ = "Bonjour.DNSSDRecord.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ = "_IDNSSDEvents"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods\ = "14"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID\ = "Bonjour.DNSSDService.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\CLSID\ = "{AFEE063C-05BA-4248-A26E-168477F49734}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1620	setup.tmp
1620	setup.tmp
5016	msedge.exe
5016	msedge.exe
1020	msedge.exe
1020	msedge.exe
4880	lonelyscreen-win-installer.tmp
4880	lonelyscreen-win-installer.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3608	msiexec.exe
Token: SeSecurityPrivilege	3760	msiexec.exe
Token: SeCreateTokenPrivilege	3608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3608	msiexec.exe
Token: SeLockMemoryPrivilege	3608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3608	msiexec.exe
Token: SeMachineAccountPrivilege	3608	msiexec.exe
Token: SeTcbPrivilege	3608	msiexec.exe
Token: SeSecurityPrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeLoadDriverPrivilege	3608	msiexec.exe
Token: SeSystemProfilePrivilege	3608	msiexec.exe
Token: SeSystemtimePrivilege	3608	msiexec.exe
Token: SeProfSingleProcessPrivilege	3608	msiexec.exe
Token: SeIncBasePriorityPrivilege	3608	msiexec.exe
Token: SeCreatePagefilePrivilege	3608	msiexec.exe
Token: SeCreatePermanentPrivilege	3608	msiexec.exe
Token: SeBackupPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeShutdownPrivilege	3608	msiexec.exe
Token: SeDebugPrivilege	3608	msiexec.exe
Token: SeAuditPrivilege	3608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3608	msiexec.exe
Token: SeChangeNotifyPrivilege	3608	msiexec.exe
Token: SeRemoteShutdownPrivilege	3608	msiexec.exe
Token: SeUndockPrivilege	3608	msiexec.exe
Token: SeSyncAgentPrivilege	3608	msiexec.exe
Token: SeEnableDelegationPrivilege	3608	msiexec.exe
Token: SeManageVolumePrivilege	3608	msiexec.exe
Token: SeImpersonatePrivilege	3608	msiexec.exe
Token: SeCreateGlobalPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1620	setup.tmp
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
4880	lonelyscreen-win-installer.tmp
5912	lonelyscreen.exe
5912	lonelyscreen.exe
5912	lonelyscreen.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
5912	lonelyscreen.exe
5912	lonelyscreen.exe
5912	lonelyscreen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5912	lonelyscreen.exe
5912	lonelyscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4880	1704	lonelyscreen-win-installer.exe	86
PID 1704 wrote to memory of 4880	1704	lonelyscreen-win-installer.exe	86
PID 1704 wrote to memory of 4880	1704	lonelyscreen-win-installer.exe	86
PID 4880 wrote to memory of 4704	4880	lonelyscreen-win-installer.tmp	99
PID 4880 wrote to memory of 4704	4880	lonelyscreen-win-installer.tmp	99
PID 4880 wrote to memory of 4704	4880	lonelyscreen-win-installer.tmp	99
PID 4704 wrote to memory of 1620	4704	setup.exe	100
PID 4704 wrote to memory of 1620	4704	setup.exe	100
PID 4704 wrote to memory of 1620	4704	setup.exe	100
PID 1620 wrote to memory of 1020	1620	setup.tmp	102
PID 1620 wrote to memory of 1020	1620	setup.tmp	102
PID 1020 wrote to memory of 2416	1020	msedge.exe	103
PID 1020 wrote to memory of 2416	1020	msedge.exe	103
PID 4880 wrote to memory of 3608	4880	lonelyscreen-win-installer.tmp	104
PID 4880 wrote to memory of 3608	4880	lonelyscreen-win-installer.tmp	104
PID 4880 wrote to memory of 3608	4880	lonelyscreen-win-installer.tmp	104
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 2844	1020	msedge.exe	107
PID 1020 wrote to memory of 5016	1020	msedge.exe	108
PID 1020 wrote to memory of 5016	1020	msedge.exe	108
PID 1020 wrote to memory of 4924	1020	msedge.exe	109
PID 1020 wrote to memory of 4924	1020	msedge.exe	109
PID 1020 wrote to memory of 4924	1020	msedge.exe	109
PID 1020 wrote to memory of 4924	1020	msedge.exe	109
PID 1020 wrote to memory of 4924	1020	msedge.exe	109
PID 1020 wrote to memory of 4924	1020	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe
"C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\is-08FJ5.tmp\lonelyscreen-win-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-08FJ5.tmp\lonelyscreen-win-installer.tmp" /SL5="$B0062,164153,114176,C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\is-R5DT1.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-R5DT1.tmp\setup.tmp" /SL5="$70224,7573378,114176,C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.lonelyscreen.com/installed.php?version=1.2.16
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd305946f8,0x7ffd30594708,0x7ffd30594718
        6⤵
        
        PID:2416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:2844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
        6⤵
        
        PID:4924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        6⤵
        
        PID:2732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:2164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17773323272300375481,137512360383260613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        6⤵
        
        PID:1700
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec.exe" /qn /i C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\bonjour.msi
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe
    "C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3760
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BF719B49D8690A784116C80C8E179803
  2⤵
  - Loads dropped DLL
  PID:4932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 119FE1C3723F774833B6F562770139F6
  2⤵
  - Loads dropped DLL
  PID:4468
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5B8954166282078CB84C680944E97F90 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4836
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:5652
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:5704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ac60.rbs

Filesize
126KB

MD5
e342843216f12301105c7ad9319f1e3b

SHA1
1358f8ca005f31b191c66bf5c4ac3fbb4ce4e680

SHA256
7fb15290c9dd62f6d38afe6d38ed50708212987a2719595f34eedd8985e8484a

SHA512
7823416de0238172538e77f6205f84e4dff6a3c4bf0fc51e368907472d2daf566cb119941e6ef20c2b28b3c111c00372bdbaf0bd40ec078d7de98f81b6263dc0

Download Submit
C:\Program Files (x86)\Bonjour\mDNSResponder.exe

Filesize
381KB

MD5
db5bea73edaf19ac68b2c0fad0f92b1a

SHA1
74bb0197763e386036751bf30c5bbf4c389fa24e

SHA256
10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc

SHA512
63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\is-CNN0V.tmp

Filesize
1.1MB

MD5
cc8b164c85cc68a2e6e0d10e452ef68b

SHA1
fed79b50a5f03c0e33071ff849ea19dfdaf3c464

SHA256
20590034969e110c4fba1d065da8ac53dad79f5b8a9bd68780164207a170c749

SHA512
bee540ceb2b1de587872cdb963d2c754ac4ba0f3cac8026c3d7c2882aae0bfeb31babae927361b2ef5484ab2085b4a19914cc99a504aafd3f08c34f9f626699d

Download Submit
C:\Program Files (x86)\LonelyScreen\unins000.dat

Filesize
6KB

MD5
17d15a80b6fd5c2ecb85e4596a28c8fe

SHA1
dd7fd51489fe6c0755b4ecb434dd468e6aea6816

SHA256
f85773c6870bcb4827d09b96a90b486cfdaeffc5aabd069a9289135b39c6632a

SHA512
1bc8537247d006c918fbea2a5c6a3ca3f84ba38fa9df6f467f8cfb73f270865affffe909d84b6969ab7aecb439127e9d358de9c341befafcdd6aa9acff18f8a7

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\006EEFEC97D222DB3BA1DB30E8FB83D5

Filesize
503B

MD5
357a6c4b10cc6cf0327bace4c25a3063

SHA1
24080f9a3802a9dc16f529e77adc0bff7752d423

SHA256
7e0a6541cf576162034c49508aa851e958c94a3bed45362855ade48d514815d6

SHA512
fbe2dddeb67931f9c5814e27de5d432b4f9df1b1916932726d7d256961d042d9f5de355dfd93c5dd0d10b11e98b7675defecf6c606dea2eb08e114c551506c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\006EEFEC97D222DB3BA1DB30E8FB83D5

Filesize
548B

MD5
7cf86c97f6c8e394df94d38f84fc6323

SHA1
1c5235fe862b245338c463d9e32d33b147a7728f

SHA256
33cc25b4a583fd94d24fb9e48319eec9934622c22817e694f8b9c1082a2c7c62

SHA512
643f5e42ce6c2a8506e2f9256992fda51572f61c16b139d8cec773a1eebd510c4707e1ffce7504bbae53bb05f15416ad9b8f2212566609d4d380994363f9bc13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
eea0cc06e645cd8ec20fa54216ef1f4e

SHA1
f556f37e542918501749f1eab95b9d5578390390

SHA256
6f81b68c5b6d73c77ce787201f06e2a6611191785b66de8d09e4d84d1f6bd27f

SHA512
73112abd948e786e766378a4765c1d1a14393c601360b88f805d62a29a3fcec769275a70415184f5bdb9511f5ed8cbc349f4fcfc04a19bbac7ddb29a2626c07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
77eeb28e412bc06094bec03b29e1fd80

SHA1
d190d0074b20e4825399dac500ba7f644fe580b3

SHA256
21eebb4581baa0ae9abe6e2c44d3c3de0730c0b556220205e8e706ff923dc122

SHA512
42b6f2b33a88a0f807b7491b196da14cabb77b8013f666cf69865ce151660dee01c1064f4c81f48ea1cbfa58cf0e30ba16c83b0bd3d6dcfee0ea34d35e0eb123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
909B

MD5
3f0a4b1906fee89e1e118f0a61e4eaa1

SHA1
eb5c2487a1f038eae6f26f163f4327130d0bf7d2

SHA256
d57a18620c4607e5b21890090ea4ffd215570a0cd22aea4951ba96855a9ecf14

SHA512
27dea0719bd974ae2a65457bcf9eedc9f8338d79fd4fcde1c9a7c990e58b8f9d78acdde0f3bd74ce43c7cfd6f83286afead688cb61e9bfbf9479e62edca31a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52a419c891a3692d587ba1c8efc85460

SHA1
527c01c65f63cb65a79a81f29baa100ddddda6cd

SHA256
b72bd07fbbb578c6f0ff5d25a8755c3a9fd95c2068ebf3bb3da0504a235e8f61

SHA512
c4aaa064b8037a1281d2491bd085d2b9455803ff3d8b4174c98aba332a48b6c81f28ceb46f65e4a0033cd705247d948e94e1407b3e7dafe23a8a4f4453381d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ea4c889b58ae785e323bdb37db4fc14

SHA1
6b6e6f9b3b6aacea57433924acb3fdc957689238

SHA256
470ca98170509eb512a52b2c5613159061bdc3ba793a425629a10e9eececfb7d

SHA512
921fa91826a9e93aa9c22f0be26e5d49b26d5948984824a7c27838ff6429b24081d05f7bff70e0a53d846fd432e89f9c9a13f22e468bdc98140d333f2bc60f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2b5b4e4d350ab36eeaf626be692bf48

SHA1
2fd50d45d623ddbafdad86cf6ecdfdfa0ac8d97a

SHA256
2c1ebdff6156c003fd8b0429bad3dd3e884a3486b7cd82a2e6f16c5f6877c0a5

SHA512
298428bd786c5bac78e590b931959cc3a304f8e77bda4b15d6babe5f0e26a7eb0923ae3ae53cb54e7a0ea84ba24404dad871c71bd849eb9a31e57f0b81436f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-08FJ5.tmp\lonelyscreen-win-installer.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-974CF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\bonjour.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\isxdl.dll

Filesize
131KB

MD5
16881920cbe9ddb46c3ef29ee405a857

SHA1
0f76cffc2e57cf5c481a8015d203b96638d36ef5

SHA256
59abe5f46020cb56e1079df8dc1145b2033e4b1459ae3d92f637064a6b618bc1

SHA512
f07d1f4133a2ba2bda92fa6f55360fae73e44b97756ee3044f31af5f9e01cda34e7efbb1520c0b5aa2a496edc03ed4fefdc4ad419c1028b1ce6457b69aabeba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NK7SD.tmp\setup.exe

Filesize
7.6MB

MD5
7a2f16b1053362d8e8edae5e320dd4d9

SHA1
8cda4387a93287f38d2b48fb109bd54a77bcdcf9

SHA256
d2c7d87fad0c0fa94a4e2acdca4524cda696f2fd0c53ea9ddbe927da839707fa

SHA512
2277ee7ac98560093a652019bf3a2fb18f02718580ef6711532498aaa17b87705266ed83093ffd4cfc73ec608a76359336a1780586679838633ac403bf683bcd

Download Submit
C:\Windows\Installer\MSIB0A3.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSIB24C.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
memory/1620-42-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1620-63-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1704-368-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1704-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1704-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4704-36-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4704-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4880-32-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/4880-16-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/4880-28-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/4880-6-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4880-31-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4880-367-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/4880-159-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download