039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7

Analysis

max time kernel
68s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lonelyscreen-win-installer.exe
Size

538KB
MD5

64da00119c76c6e1d75f059ffc4a772d
SHA1

ebaebff7db60430cad107d4efc45654d43f98075
SHA256

039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7
SHA512

d13544aa2ee6060510c0f906e3f174a4ec40878f36193a99d6c527b62fa6a379115e965e272069b0e3f0479df16e6899a096ede37fb0832262c72d3d24f824f3
SSDEEP

12288:AS3yBV888888888888W88888888888pKfXGU69eTutORzK/AA9i6Zub02O9HtFbl:/3yLKfXG6wZ/D9kqtZaTq

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
1476	lonelyscreen-win-installer.tmp
3444	setup.exe
1656	setup.tmp
1196	mDNSResponder.exe
2704	Process not Found
636	lonelyscreen.exe

Loads dropped DLL 12 IoCs

pid	Process
1476	lonelyscreen-win-installer.tmp
2584	MsiExec.exe
2584	MsiExec.exe
2584	MsiExec.exe
1048	MsiExec.exe
1048	MsiExec.exe
2012	MsiExec.exe
452	MsiExec.exe
4728	MsiExec.exe
1548	msedge.exe
636	lonelyscreen.exe
2624	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LonelyScreen = "C:\\Program Files (x86)\\LonelyScreen\\lonelyscreen.exe /start_context sys_auto"	setup.tmp

Blocklisted process makes network request 2 IoCs

flow	pid	Process
49	1928	msiexec.exe
53	1928	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-VBE8O.tmp	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-9HTV0.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-GN2O0.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8191.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8629.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8066.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI833A.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File created	C:\Windows\Installer\e587d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\e587d10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI823F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
468	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CLSID\ = "{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager.1\ = "DNSSDEventManager Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8\Bonjour	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ = "DNSSDEventManager Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-RL3GF.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1656	setup.tmp
1656	setup.tmp
1548	msedge.exe
1548	msedge.exe
4992	msedge.exe
4992	msedge.exe
4000	identity_helper.exe
4000	identity_helper.exe
1476	lonelyscreen-win-installer.tmp
1476	lonelyscreen-win-installer.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	468	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeCreateTokenPrivilege	468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	468	msiexec.exe
Token: SeLockMemoryPrivilege	468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	468	msiexec.exe
Token: SeMachineAccountPrivilege	468	msiexec.exe
Token: SeTcbPrivilege	468	msiexec.exe
Token: SeSecurityPrivilege	468	msiexec.exe
Token: SeTakeOwnershipPrivilege	468	msiexec.exe
Token: SeLoadDriverPrivilege	468	msiexec.exe
Token: SeSystemProfilePrivilege	468	msiexec.exe
Token: SeSystemtimePrivilege	468	msiexec.exe
Token: SeProfSingleProcessPrivilege	468	msiexec.exe
Token: SeIncBasePriorityPrivilege	468	msiexec.exe
Token: SeCreatePagefilePrivilege	468	msiexec.exe
Token: SeCreatePermanentPrivilege	468	msiexec.exe
Token: SeBackupPrivilege	468	msiexec.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeShutdownPrivilege	468	msiexec.exe
Token: SeDebugPrivilege	468	msiexec.exe
Token: SeAuditPrivilege	468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	468	msiexec.exe
Token: SeChangeNotifyPrivilege	468	msiexec.exe
Token: SeRemoteShutdownPrivilege	468	msiexec.exe
Token: SeUndockPrivilege	468	msiexec.exe
Token: SeSyncAgentPrivilege	468	msiexec.exe
Token: SeEnableDelegationPrivilege	468	msiexec.exe
Token: SeManageVolumePrivilege	468	msiexec.exe
Token: SeImpersonatePrivilege	468	msiexec.exe
Token: SeCreateGlobalPrivilege	468	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1656	setup.tmp
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
636	lonelyscreen.exe
636	lonelyscreen.exe
1476	lonelyscreen-win-installer.tmp
636	lonelyscreen.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
636	lonelyscreen.exe
636	lonelyscreen.exe
636	lonelyscreen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
636	lonelyscreen.exe
636	lonelyscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1476	2364	lonelyscreen-win-installer.exe	84
PID 2364 wrote to memory of 1476	2364	lonelyscreen-win-installer.exe	84
PID 2364 wrote to memory of 1476	2364	lonelyscreen-win-installer.exe	84
PID 1476 wrote to memory of 3444	1476	lonelyscreen-win-installer.tmp	91
PID 1476 wrote to memory of 3444	1476	lonelyscreen-win-installer.tmp	91
PID 1476 wrote to memory of 3444	1476	lonelyscreen-win-installer.tmp	91
PID 3444 wrote to memory of 1656	3444	setup.exe	92
PID 3444 wrote to memory of 1656	3444	setup.exe	92
PID 3444 wrote to memory of 1656	3444	setup.exe	92
PID 1656 wrote to memory of 4992	1656	setup.tmp	94
PID 1656 wrote to memory of 4992	1656	setup.tmp	94
PID 4992 wrote to memory of 4320	4992	msedge.exe	95
PID 4992 wrote to memory of 4320	4992	msedge.exe	95
PID 1476 wrote to memory of 468	1476	lonelyscreen-win-installer.tmp	96
PID 1476 wrote to memory of 468	1476	lonelyscreen-win-installer.tmp	96
PID 1476 wrote to memory of 468	1476	lonelyscreen-win-installer.tmp	96
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 4272	4992	msedge.exe	98
PID 4992 wrote to memory of 1548	4992	msedge.exe	99
PID 4992 wrote to memory of 1548	4992	msedge.exe	99
PID 4992 wrote to memory of 4104	4992	msedge.exe	100
PID 4992 wrote to memory of 4104	4992	msedge.exe	100
PID 4992 wrote to memory of 4104	4992	msedge.exe	100
PID 4992 wrote to memory of 4104	4992	msedge.exe	100
PID 4992 wrote to memory of 4104	4992	msedge.exe	100
PID 4992 wrote to memory of 4104	4992	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe
"C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\is-22F2J.tmp\lonelyscreen-win-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-22F2J.tmp\lonelyscreen-win-installer.tmp" /SL5="$80090,164153,114176,C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\is-72FQ1.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-72FQ1.tmp\setup.tmp" /SL5="$A0050,7573378,114176,C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.lonelyscreen.com/installed.php?version=1.2.16
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ed646f8,0x7ffa1ed64708,0x7ffa1ed64718
        6⤵
        
        PID:4320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:4272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
        6⤵
        
        PID:4104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        6⤵
        
        PID:2924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        
        PID:3400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        
        PID:3416
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 /prefetch:8
        6⤵
        
        PID:3432
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,18121096756943573913,6172726091041216820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec.exe" /qn /i C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\bonjour.msi
    3⤵
    - Event Triggered Execution: Installer Packages
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe
    "C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1928
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4DA38FA92DD274BF58235B8113259A43
  2⤵
  - Loads dropped DLL
  PID:2584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C10AB75C7F4A433E5E867252F998A892
  2⤵
  - Loads dropped DLL
  PID:1048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 387800474F456B960ACFC7C95F7F8AF8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2012
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:452
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:4728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587d0e.rbs

Filesize
126KB

MD5
3f147cb1758fba76ab2ccffd1f7665b2

SHA1
9813e576cd6f80814f1dcfacf29d168759c9c036

SHA256
797230db550e3ea226bc94cbb6e8a2136140bf40e9d40c7fd5263f895501e050

SHA512
b26a4cb4a88631141f71cbc3e934e5c045c13d3f95a6a12b89c473f619aac5753ca3f3f08c992e635ac7d7ea1aaa76e267b82ebd5442183c26c3427cd064571f

Download Submit
C:\Program Files (x86)\Bonjour\mDNSResponder.exe

Filesize
381KB

MD5
db5bea73edaf19ac68b2c0fad0f92b1a

SHA1
74bb0197763e386036751bf30c5bbf4c389fa24e

SHA256
10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc

SHA512
63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\is-VBE8O.tmp

Filesize
1.1MB

MD5
cc8b164c85cc68a2e6e0d10e452ef68b

SHA1
fed79b50a5f03c0e33071ff849ea19dfdaf3c464

SHA256
20590034969e110c4fba1d065da8ac53dad79f5b8a9bd68780164207a170c749

SHA512
bee540ceb2b1de587872cdb963d2c754ac4ba0f3cac8026c3d7c2882aae0bfeb31babae927361b2ef5484ab2085b4a19914cc99a504aafd3f08c34f9f626699d

Download Submit
C:\Program Files (x86)\LonelyScreen\unins000.dat

Filesize
6KB

MD5
e20a692cef4f69e857cad259c5f1a827

SHA1
ab51527613a01dacc54a6e5372cb027cef61954f

SHA256
356ae8f016be69cc2d8296fa4709465ff3758274d0872c3ba7257615e3852e78

SHA512
eb2895b79404b7e4c459b0f9ae4911d7f38036933f28c865f57b82e7a00bb26f37f9ebc44ec3818eb57a2a9edbc5f3ed518c8d7d0b66da8a8304d8d5890e0dfd

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A150CB4E847A0184D83AE873E2F0D22C

Filesize
504B

MD5
e09afddf9b4f2f3ae744b060b67d2558

SHA1
34c0047c851967f4d386c5f86eddef6be318da21

SHA256
990fe34aa4efbc123d84f390b88cf588bb39fac6be6d96225439fef9f993e23e

SHA512
ce05ed772de305203a615555e409cc6fdd24e97bb5332793fc0a0a4513aed19346e3783884a0cd1ec5e4a2b86eb0bf727cad3cd1a09394043d3da88c40b69cad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
0310a0f5fab4dff0d373c7e6b82f542b

SHA1
3580533ddb925053844fd0dffb965c4bcf77f46d

SHA256
c5d367c43918b46f0269b98aff669fe430a38d2e9aa83c3488ce0c042eb34c68

SHA512
b4ac493d06799bbaa019238f7cbff029eaa7916c8ca21132e3abea9bf05fc123b464b95f678c967a6bf4aefc8eb5a6d64b76af6752b4dbcacd128899523191f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A150CB4E847A0184D83AE873E2F0D22C

Filesize
550B

MD5
c62922e2651cc235af6461e1d8911214

SHA1
8045e937a1d6cafa59e356289ac9f96cba8a2db7

SHA256
1e60a8132d2be52e32ce82dcd0115a66228fdd2d003da86a423cad40e6c6f29d

SHA512
ad1e8e2184b90b561f5207ebf8224158ffc6f768c0fb892ef5b25a241d8bfaee98aa091af4923bfdc3a58d0bca0b3773b4e3590bcbe500bbc51c042e74f6435e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
700a45e0cfeb1e032d9dfddd10703324

SHA1
5cfea2d2914ed9bc9c4eaa8654a55607cd3f72df

SHA256
3528aa4f7968518f8d1723e0c2336cbe9f658be8e4d14a42d78d642d293de304

SHA512
e8e806eeedb5205a462c67dabefc2a3f388e38f202d8d55823800ee96424818576aa63edd4a465bdff0d2caf75c66af26bcd321cfd874434b40e33444718bf40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d14612dc2cf81e7eb0c4d8e1f3d7be4a

SHA1
6c6f9100a3d23aa35148e44836778e5d91796b8e

SHA256
14bf4eb0f61e11452d7354dcedafc2f7f863ee10aeeda23c9f3e4cc7db9decba

SHA512
ab932a79315db5b5e5b5d3018c54d1bf74243b2a76404e760cf31ecce2cbc0f96a194b26813cc68b1311b9f05c828c0887eba05f80712d2d92f204e0f9119de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7cca6957b566ba1e60bab15ef9e9000

SHA1
ef792358489b13bfc4ddc82e3c411371bfc3265e

SHA256
9ae8dc91b12863953b5bfe826f8645281c0319b191e987ec31cef0e9cf36ba96

SHA512
645f3879bc712acaf3f06720c34b12a7c0bf2faad1dec80ba49a04e03e362e9d3c85e976ce673e304ebc9ed79c07fef02304f3686ea026bf6c82866b8e8f7d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c7bfdd137581d5c568ae2e5293742d84

SHA1
1dbe6b6cfc2136c1958a8b9c846fa535360ad0e4

SHA256
43c41a14e7a4a181399ea6a83d96f1d884b02538538fc12ea4301224560e6eba

SHA512
8db9678f05fec65633367a6f1874d702f840531a66768f64a840c7dd0824c0d579202fdfb726cb8e3414945166204d2dc809153278ada46ce0b6663ff46b0a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c26e9cebc9b9c16ac176146f648079ba

SHA1
22c2aa2cecfb44a6c9cf5fb994ccfbbf60ed2ac7

SHA256
c10599739d9431a55b880c49696809f20fee2e23d2052948a70f9050a5f4e101

SHA512
443fad4e859d29d97cef6d36dd67e16a9d01ac173e8c1553e3b7093d4ca531635f68727efe6dab21fc36bd5f9cfe4bf1c48f3f32f11ab79e47d57a683a75cdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-22F2J.tmp\lonelyscreen-win-installer.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JEPPS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\bonjour.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\isxdl.dll

Filesize
131KB

MD5
16881920cbe9ddb46c3ef29ee405a857

SHA1
0f76cffc2e57cf5c481a8015d203b96638d36ef5

SHA256
59abe5f46020cb56e1079df8dc1145b2033e4b1459ae3d92f637064a6b618bc1

SHA512
f07d1f4133a2ba2bda92fa6f55360fae73e44b97756ee3044f31af5f9e01cda34e7efbb1520c0b5aa2a496edc03ed4fefdc4ad419c1028b1ce6457b69aabeba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL3GF.tmp\setup.exe

Filesize
7.6MB

MD5
7a2f16b1053362d8e8edae5e320dd4d9

SHA1
8cda4387a93287f38d2b48fb109bd54a77bcdcf9

SHA256
d2c7d87fad0c0fa94a4e2acdca4524cda696f2fd0c53ea9ddbe927da839707fa

SHA512
2277ee7ac98560093a652019bf3a2fb18f02718580ef6711532498aaa17b87705266ed83093ffd4cfc73ec608a76359336a1780586679838633ac403bf683bcd

Download Submit
C:\Windows\Installer\MSI8066.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI823F.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
memory/1476-32-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1476-17-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1476-369-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1476-7-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1476-50-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1656-46-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1656-68-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2364-24-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2364-2-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/2364-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2364-370-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3444-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3444-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3444-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download