039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lonelyscreen-win-installer.exe
Size

538KB
MD5

64da00119c76c6e1d75f059ffc4a772d
SHA1

ebaebff7db60430cad107d4efc45654d43f98075
SHA256

039004b76a1bc5ac020958256bdcf97f1464398c13b0be2e0d0078f1aee8b3a7
SHA512

d13544aa2ee6060510c0f906e3f174a4ec40878f36193a99d6c527b62fa6a379115e965e272069b0e3f0479df16e6899a096ede37fb0832262c72d3d24f824f3
SSDEEP

12288:AS3yBV888888888888W88888888888pKfXGU69eTutORzK/AA9i6Zub02O9HtFbl:/3yLKfXG6wZ/D9kqtZaTq

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
1260	lonelyscreen-win-installer.tmp
1976	setup.exe
4580	setup.tmp
2188	mDNSResponder.exe
1732	lonelyscreen.exe
2816	Process not Found

Loads dropped DLL 14 IoCs

pid	Process
1260	lonelyscreen-win-installer.tmp
216	MsiExec.exe
216	MsiExec.exe
216	MsiExec.exe
1524	MsiExec.exe
1524	MsiExec.exe
2936	MsiExec.exe
2452	MsiExec.exe
2108	MsiExec.exe
624	msedge.exe
2712	msedge.exe
1732	lonelyscreen.exe
2720	Process not Found
3016	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LonelyScreen = "C:\\Program Files (x86)\\LonelyScreen\\lonelyscreen.exe /start_context sys_auto"	setup.tmp

Blocklisted process makes network request 2 IoCs

flow	pid	Process
39	2032	msiexec.exe
43	2032	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-LH2PD.tmp	lonelyscreen-win-installer.tmp
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-RQ1Q8.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\LonelyScreen\unins001.dat	lonelyscreen-win-installer.tmp
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File opened for modification	C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\LonelyScreen\is-IT2L6.tmp	setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1690.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e581325.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581325.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1993.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI180B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C92.tmp	msiexec.exe
File created	C:\Windows\Installer\e58132a.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3596	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lonelyscreen-win-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lonelyscreen-win-installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lonelyscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager\CLSID\ = "{BEEB932A-8D4A-4619-AEFE-A836F988B221}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID\ = "Bonjour.DNSSDService.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods\ = "9"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CLSID\ = "{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\ = "DNSSDRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager\ = "DNSSDEventManager Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\ = "TXTRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\ProductIcon = "C:\\Windows\\Installer\\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\\Bonjour.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService.1\ = "DNSSDService Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8\mDNSResponder = "Bonjour"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\PackageName = "bonjour.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Bonjour.DLL\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4580	setup.tmp
4580	setup.tmp
624	msedge.exe
624	msedge.exe
2712	msedge.exe
2712	msedge.exe
1880	identity_helper.exe
1880	identity_helper.exe
1260	lonelyscreen-win-installer.tmp
1260	lonelyscreen-win-installer.tmp
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeSecurityPrivilege	2032	msiexec.exe
Token: SeCreateTokenPrivilege	3596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3596	msiexec.exe
Token: SeLockMemoryPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeMachineAccountPrivilege	3596	msiexec.exe
Token: SeTcbPrivilege	3596	msiexec.exe
Token: SeSecurityPrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeLoadDriverPrivilege	3596	msiexec.exe
Token: SeSystemProfilePrivilege	3596	msiexec.exe
Token: SeSystemtimePrivilege	3596	msiexec.exe
Token: SeProfSingleProcessPrivilege	3596	msiexec.exe
Token: SeIncBasePriorityPrivilege	3596	msiexec.exe
Token: SeCreatePagefilePrivilege	3596	msiexec.exe
Token: SeCreatePermanentPrivilege	3596	msiexec.exe
Token: SeBackupPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeShutdownPrivilege	3596	msiexec.exe
Token: SeDebugPrivilege	3596	msiexec.exe
Token: SeAuditPrivilege	3596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3596	msiexec.exe
Token: SeChangeNotifyPrivilege	3596	msiexec.exe
Token: SeRemoteShutdownPrivilege	3596	msiexec.exe
Token: SeUndockPrivilege	3596	msiexec.exe
Token: SeSyncAgentPrivilege	3596	msiexec.exe
Token: SeEnableDelegationPrivilege	3596	msiexec.exe
Token: SeManageVolumePrivilege	3596	msiexec.exe
Token: SeImpersonatePrivilege	3596	msiexec.exe
Token: SeCreateGlobalPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4580	setup.tmp
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
1732	lonelyscreen.exe
1732	lonelyscreen.exe
1260	lonelyscreen-win-installer.tmp

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
1732	lonelyscreen.exe
1732	lonelyscreen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	lonelyscreen.exe
1732	lonelyscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1260	4116	lonelyscreen-win-installer.exe	83
PID 4116 wrote to memory of 1260	4116	lonelyscreen-win-installer.exe	83
PID 4116 wrote to memory of 1260	4116	lonelyscreen-win-installer.exe	83
PID 1260 wrote to memory of 1976	1260	lonelyscreen-win-installer.tmp	97
PID 1260 wrote to memory of 1976	1260	lonelyscreen-win-installer.tmp	97
PID 1260 wrote to memory of 1976	1260	lonelyscreen-win-installer.tmp	97
PID 1976 wrote to memory of 4580	1976	setup.exe	98
PID 1976 wrote to memory of 4580	1976	setup.exe	98
PID 1976 wrote to memory of 4580	1976	setup.exe	98
PID 4580 wrote to memory of 2712	4580	setup.tmp	100
PID 4580 wrote to memory of 2712	4580	setup.tmp	100
PID 2712 wrote to memory of 2404	2712	msedge.exe	101
PID 2712 wrote to memory of 2404	2712	msedge.exe	101
PID 1260 wrote to memory of 3596	1260	lonelyscreen-win-installer.tmp	102
PID 1260 wrote to memory of 3596	1260	lonelyscreen-win-installer.tmp	102
PID 1260 wrote to memory of 3596	1260	lonelyscreen-win-installer.tmp	102
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 752	2712	msedge.exe	105
PID 2712 wrote to memory of 624	2712	msedge.exe	106
PID 2712 wrote to memory of 624	2712	msedge.exe	106
PID 2712 wrote to memory of 4320	2712	msedge.exe	107
PID 2712 wrote to memory of 4320	2712	msedge.exe	107
PID 2712 wrote to memory of 4320	2712	msedge.exe	107
PID 2712 wrote to memory of 4320	2712	msedge.exe	107
PID 2712 wrote to memory of 4320	2712	msedge.exe	107
PID 2712 wrote to memory of 4320	2712	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe
"C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\is-239PF.tmp\lonelyscreen-win-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-239PF.tmp\lonelyscreen-win-installer.tmp" /SL5="$70228,164153,114176,C:\Users\Admin\AppData\Local\Temp\lonelyscreen-win-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\is-KTQGC.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KTQGC.tmp\setup.tmp" /SL5="$6023C,7573378,114176,C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.lonelyscreen.com/installed.php?version=1.2.16
        5⤵
        Loads dropped DLL
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xa8,0x108,0x7ffa3c1c46f8,0x7ffa3c1c4708,0x7ffa3c1c4718
        6⤵
        
        PID:2404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        6⤵
        
        PID:752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        6⤵
        
        PID:4320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        
        PID:2892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        6⤵
        
        PID:1716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
        6⤵
        
        PID:1940
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
        6⤵
        
        PID:2208
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        6⤵
        
        PID:1620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        6⤵
        
        PID:2208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
        6⤵
        
        PID:544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10457220987440733862,16848399750973137422,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec.exe" /qn /i C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\bonjour.msi
    3⤵
    - Event Triggered Execution: Installer Packages
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe
    "C:\Program Files (x86)\LonelyScreen\lonelyscreen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2032
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 08D9BFDB4DD186F1564DC9221030DF09
  2⤵
  - Loads dropped DLL
  PID:216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E3E62386470771838A40AA22E7B7D25
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 766182FB87281CCD24D200BD0E6B4144 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:2452
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581328.rbs

Filesize
126KB

MD5
9a7f6c271698d04d01ca6a8983896b39

SHA1
f3400254d349b67913735abc351259c76c1b6e3d

SHA256
7950ab35b4a1f39e44f893ae5cc1404f1c438d3a3dbcb10596614e9ba5dd6916

SHA512
aed024d5b66a901e9e8bc760bd7665b5de83f3664f236af71eb640fabc394600a8a3515fadc560513f7546a7624ba8af45916dbe4696aae5a80b34c23231e152

Download Submit
C:\Program Files (x86)\Bonjour\mDNSResponder.exe

Filesize
381KB

MD5
db5bea73edaf19ac68b2c0fad0f92b1a

SHA1
74bb0197763e386036751bf30c5bbf4c389fa24e

SHA256
10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc

SHA512
63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
C:\Program Files (x86)\LonelyScreen\LonelyScreen.exe

Filesize
22.3MB

MD5
a3ff7e328f41f4a6af82266bfe12036f

SHA1
79f0e44415ffe74b320dfb27c8988d326dc80b2e

SHA256
9f2a9f89adda3003c587e4a9bdf5decf3260beefb135180e44845aee7730f731

SHA512
472625b9ab26e83845a72423722e4b1286dce950597a52e95dff385bb33c1a1e4870755f273c8a02dea0793d04bdad7779cc05c786dff7ed624f5feb46d0a803

Download Submit
C:\Program Files (x86)\LonelyScreen\is-LH2PD.tmp

Filesize
1.1MB

MD5
cc8b164c85cc68a2e6e0d10e452ef68b

SHA1
fed79b50a5f03c0e33071ff849ea19dfdaf3c464

SHA256
20590034969e110c4fba1d065da8ac53dad79f5b8a9bd68780164207a170c749

SHA512
bee540ceb2b1de587872cdb963d2c754ac4ba0f3cac8026c3d7c2882aae0bfeb31babae927361b2ef5484ab2085b4a19914cc99a504aafd3f08c34f9f626699d

Download Submit
C:\Program Files (x86)\LonelyScreen\unins000.dat

Filesize
6KB

MD5
4fda89f269639b11542a0ce3cead0f80

SHA1
e1a0f8858da7000a9d7b77ec78d80c893986b530

SHA256
233074190d6f0371a86b518395a82374821554f374d310df61e4e9a15ce61641

SHA512
0194a246be7ffcd37d5eb2f0ea1eff7424ddcd601e8c97168356cdc96c21b79251e80bcaa32755b9fe68c60098fbe51b9b5444f98138671edf5dcbd994fc4288

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E73DB4BC7EC7D53DAA55B0E346CCF24

Filesize
504B

MD5
511910bc49ec9525c92333e46e098c79

SHA1
9ede4d03764ec207dcdfea8e3c002a47845db53e

SHA256
9f8b975cae9e28901cc94ce3da3e95d1b3a087a2a5f8781bc307626dc0416117

SHA512
4aa2d9e50218d49fe813b2e89a6979e1553e43456f51541bebc8c77cb4ad7543d33b93eafeb34cce229a73d4f1604d9537d1e1bd8203047f85a9648e9fe8fdf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
e324b9dc3e32787e906936e79041abfa

SHA1
9750837aa8fb35d031c27d00fa3103a207bcb5ee

SHA256
de734d272359840d873daf48c674cd1e1b0cc86d5e27dd629b8f10b2b021ac4d

SHA512
9e632c07af3b2bb480d15fb8c936aaa63587bf35616e770987786c752a9382693bf49d62cc5ae204d3ae755e949c53f857aec85b93e82075566b96213f623f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E73DB4BC7EC7D53DAA55B0E346CCF24

Filesize
546B

MD5
b469e0e4a768b507b66ccdc500c9378f

SHA1
496acd17cdee9a2d2b6a7a50458e20748a38fad6

SHA256
c0b7eaf1459fe4a976dcc8a53694e43b039e4f2496db3daee04f0504cce607c7

SHA512
d02322166906adec87767720d4f73df1acb16b5994cc3c3744bb5a6c8165b8b609ad5a362bc92a2e8663eb5c1c7912a57dadab886ac02526caaeec55491b0ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
9558e31ad4eeef430d7b0d73902cfe44

SHA1
bf9cd132fad86851ae5201c70cc875e494185d19

SHA256
300a01033194bea0ef1f4813cf2ddf5e24d2e388e8e5f9a78e6861985af20633

SHA512
cb3d58d1c28b49fd1e660562419c2a391aaf3e99ceebb6b9ca08daeb38ff21c82ffd0f37a83fbc48803f1eb7683ed78f917a3f507cc435b92ed86264f8013a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
182390c4255003fc562beb536cb3adfe

SHA1
5b98465b6073ec37758cedae9ae8510630c43533

SHA256
c216614c789247d6cd7b484050f081b186d4f0e2c29989cbea986f9349e74ed4

SHA512
adc51c6aa1c1796ede6ce0de34616a563f8d3bbcd8a82ec9acc3b6ad74ce462065a2ae5cd44ce25a43f5113697b58b9302bbcddb1067371bd8cba6e46e972c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c34017d19dcd3f05a6deee8b278e3d96

SHA1
2bdab161d654b7d145712a196696fd55c9a73524

SHA256
a7538dcb6aa667383a8f9f5ea3b5e91e7e15394024272e070694d30ab7bbf89c

SHA512
54b01197bae346b97e80ab96f5c57f0c9458f6e03d795721f35900da12848fe8e2ceed24fce4b608ccd4a7f2e392809ffe8973a71929e35ee08f0aef9134738a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
928292bac25e7541a6ecd0f3789b1c66

SHA1
e8668c017da0c4e611f23fd3764e2ae43ed16a88

SHA256
e56996aa6b02d1e9e8d3d9476b7520d71284234269951d388289fcb79ad3a344

SHA512
4b2f3fbde05179cb242e41af151f6bb826a1bcf51f8571533446da05bdce057bb655e0e80a5eacf2d535a5d4e419f3ed4491afc288202cb7ce3d7be92b2e593f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bab0ec973793c6e7c6ea2d118a30aa48

SHA1
11f85d826c92ce79467c2f73f958bfdf5dbe1e31

SHA256
94afc736ca4a50b429e87d078c59225d8c479676c8b1835bb6da6580d88003bd

SHA512
9e4bd25c29f827ad11dae8dedfb34377ae6731dc8f36e0d1ac0109b4f10961f7a8855d8d13619b5b05d08f268a39cad36ef6526b6f5d3403506e11fa5037d031

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-239PF.tmp\lonelyscreen-win-installer.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\bonjour.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\isxdl.dll

Filesize
131KB

MD5
16881920cbe9ddb46c3ef29ee405a857

SHA1
0f76cffc2e57cf5c481a8015d203b96638d36ef5

SHA256
59abe5f46020cb56e1079df8dc1145b2033e4b1459ae3d92f637064a6b618bc1

SHA512
f07d1f4133a2ba2bda92fa6f55360fae73e44b97756ee3044f31af5f9e01cda34e7efbb1520c0b5aa2a496edc03ed4fefdc4ad419c1028b1ce6457b69aabeba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GROV5.tmp\setup.exe

Filesize
7.6MB

MD5
7a2f16b1053362d8e8edae5e320dd4d9

SHA1
8cda4387a93287f38d2b48fb109bd54a77bcdcf9

SHA256
d2c7d87fad0c0fa94a4e2acdca4524cda696f2fd0c53ea9ddbe927da839707fa

SHA512
2277ee7ac98560093a652019bf3a2fb18f02718580ef6711532498aaa17b87705266ed83093ffd4cfc73ec608a76359336a1780586679838633ac403bf683bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PH6RT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Windows\Installer\MSI1690.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Windows\Installer\MSI180B.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
memory/1260-43-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1260-25-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1260-17-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1260-158-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1260-273-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1260-7-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1976-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1976-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1976-66-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4116-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4116-2-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/4116-274-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4116-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4580-64-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/4580-42-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download