257f8251ab61b944b75deafc681030a20b6dd5ae03b8540d8f482a6c291efb96

Resubmissions

06-07-2024 22:02

240706-1x4eratgrl 7

06-07-2024 19:00

240706-xnn2xssgpc 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

processlassosetup64.exe
Size

2.5MB
MD5

079d9a59d53120f4835d58728a8a1614
SHA1

8deb42134fe9d06e91c36ae196b0448c1ddc5e80
SHA256

257f8251ab61b944b75deafc681030a20b6dd5ae03b8540d8f482a6c291efb96
SHA512

cb572655f3a7b2c8767b9813b45e1ab8b76d16f6e7b29b922b0ea756091fc55663c4bcc935a71854e1049713bb51b3bc5c73827a3885bbe7ac0f84ef0303a14d
SSDEEP

49152:K6+yyE+nj/76iNaWWHLjbZx8RI3DMl949upGnH/FrjWdTlxUZRS:Khj/76esbZDDMoApyfFrjkfiS

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 38 IoCs

Processes:

processlassosetup64.exe

description	ioc	process
File created	C:\Program Files\Process Lasso\pl_rsrc_english.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_ptbr.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_korean.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\InstallHelper.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ProcessGovernor.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\TweakScheduler.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\QuickUpgrade.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\CPUEater.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_french.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_russian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\srvstub.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ProcessLasso.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\testlasso.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_japanese.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ThreadRacer.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_german.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\start-governor.bat	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\uninstall.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_finnish.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_chinese_traditional.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_italian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_slovenian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ProcessLassoLauncher.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\LogViewer.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\Insights.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\stop-governor.bat	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl.cmd	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\bitsumsessionagent.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\vistammsc.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_polish.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_spanish.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\LICENSES	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_english.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_chinese.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_bulgarian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl-update.cmd	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\plActivate.exe	processlassosetup64.exe

Executes dropped EXE 15 IoCs

Processes:

installhelper.exeinstallHelper.exeinstallHelper.exeInstallHelper.exeInstallHelper.exeInstallHelper.exeInstallHelper.exeinstallHelper.exeinstallHelper.exesrvstub.exeinstallhelper.exeprocessgovernor.exeprocesslasso.exebitsumsessionagent.exeProcessLassoLauncher.exe

pid	process
1176	installhelper.exe
1504	installHelper.exe
392	installHelper.exe
3988	InstallHelper.exe
2616	InstallHelper.exe
3480	InstallHelper.exe
3060	InstallHelper.exe
1036	installHelper.exe
4480	installHelper.exe
5092	srvstub.exe
1900	installhelper.exe
4936	processgovernor.exe
560	processlasso.exe
4224	bitsumsessionagent.exe
776	ProcessLassoLauncher.exe

Loads dropped DLL 18 IoCs

Processes:

processlassosetup64.exeinstallhelper.exeinstallHelper.exeinstallHelper.exeInstallHelper.exeInstallHelper.exeInstallHelper.exeInstallHelper.exeinstallHelper.exeinstallHelper.exeinstallhelper.exeprocessgovernor.exeprocesslasso.exeProcessLassoLauncher.exe

pid	process
3616	processlassosetup64.exe
3616	processlassosetup64.exe
1176	installhelper.exe
1504	installHelper.exe
392	installHelper.exe
3988	InstallHelper.exe
2616	InstallHelper.exe
3480	InstallHelper.exe
3060	InstallHelper.exe
1036	installHelper.exe
4480	installHelper.exe
1900	installhelper.exe
4936	processgovernor.exe
4936	processgovernor.exe
560	processlasso.exe
560	processlasso.exe
776	ProcessLassoLauncher.exe
776	ProcessLassoLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

installHelper.exeinstallhelper.exeInstallHelper.exeinstallhelper.exeinstallHelper.exeInstallHelper.exeInstallHelper.exeInstallHelper.exeinstallHelper.exeprocessgovernor.exeinstallHelper.exeprocesslasso.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processgovernor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processgovernor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

processgovernor.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\Language = "1033"	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\InstallerLanguageDWORD = "1033"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso	processgovernor.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\ProcessLasso = 09040000	processgovernor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

installhelper.exeInstallHelper.exeinstallhelper.exeprocesslasso.exeprocessgovernor.exe

pid	process
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
1176	installhelper.exe
3060	InstallHelper.exe
3060	InstallHelper.exe
3060	InstallHelper.exe
3060	InstallHelper.exe
1900	installhelper.exe
1900	installhelper.exe
1900	installhelper.exe
1900	installhelper.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
4936	processgovernor.exe
4936	processgovernor.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
4936	processgovernor.exe
4936	processgovernor.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
4936	processgovernor.exe
4936	processgovernor.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
4936	processgovernor.exe
4936	processgovernor.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

processlasso.exebitsumsessionagent.exeprocessgovernor.exe

pid process

560 processlasso.exe
4224 bitsumsessionagent.exe
4936 processgovernor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1176	installhelper.exe
Token: SeDebugPrivilege	1176	installhelper.exe
Token: SeChangeNotifyPrivilege	1176	installhelper.exe
Token: SeIncBasePriorityPrivilege	1176	installhelper.exe
Token: SeIncreaseQuotaPrivilege	1176	installhelper.exe
Token: SeProfSingleProcessPrivilege	1176	installhelper.exe
Token: SeAssignPrimaryTokenPrivilege	1504	installHelper.exe
Token: SeDebugPrivilege	1504	installHelper.exe
Token: SeChangeNotifyPrivilege	1504	installHelper.exe
Token: SeIncBasePriorityPrivilege	1504	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1504	installHelper.exe
Token: SeProfSingleProcessPrivilege	1504	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	392	installHelper.exe
Token: SeDebugPrivilege	392	installHelper.exe
Token: SeChangeNotifyPrivilege	392	installHelper.exe
Token: SeIncBasePriorityPrivilege	392	installHelper.exe
Token: SeIncreaseQuotaPrivilege	392	installHelper.exe
Token: SeProfSingleProcessPrivilege	392	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3988	InstallHelper.exe
Token: SeDebugPrivilege	3988	InstallHelper.exe
Token: SeChangeNotifyPrivilege	3988	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	3988	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	3988	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	3988	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	2616	InstallHelper.exe
Token: SeDebugPrivilege	2616	InstallHelper.exe
Token: SeChangeNotifyPrivilege	2616	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	2616	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	2616	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	2616	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3480	InstallHelper.exe
Token: SeDebugPrivilege	3480	InstallHelper.exe
Token: SeChangeNotifyPrivilege	3480	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	3480	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	3480	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	3480	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3060	InstallHelper.exe
Token: SeDebugPrivilege	3060	InstallHelper.exe
Token: SeChangeNotifyPrivilege	3060	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	3060	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	3060	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	3060	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1036	installHelper.exe
Token: SeDebugPrivilege	1036	installHelper.exe
Token: SeChangeNotifyPrivilege	1036	installHelper.exe
Token: SeIncBasePriorityPrivilege	1036	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1036	installHelper.exe
Token: SeProfSingleProcessPrivilege	1036	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4480	installHelper.exe
Token: SeDebugPrivilege	4480	installHelper.exe
Token: SeChangeNotifyPrivilege	4480	installHelper.exe
Token: SeIncBasePriorityPrivilege	4480	installHelper.exe
Token: SeIncreaseQuotaPrivilege	4480	installHelper.exe
Token: SeProfSingleProcessPrivilege	4480	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	5092	srvstub.exe
Token: SeCreateGlobalPrivilege	5092	srvstub.exe
Token: SeAssignPrimaryTokenPrivilege	1900	installhelper.exe
Token: SeDebugPrivilege	1900	installhelper.exe
Token: SeChangeNotifyPrivilege	1900	installhelper.exe
Token: SeIncBasePriorityPrivilege	1900	installhelper.exe
Token: SeIncreaseQuotaPrivilege	1900	installhelper.exe
Token: SeProfSingleProcessPrivilege	1900	installhelper.exe
Token: SeAssignPrimaryTokenPrivilege	4936	processgovernor.exe
Token: SeDebugPrivilege	4936	processgovernor.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

processlasso.exe

pid	process
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

processlasso.exe

pid	process
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe
560	processlasso.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

processlassosetup64.exesrvstub.exe

description	pid	process	target process
PID 3616 wrote to memory of 1176	3616	processlassosetup64.exe	installhelper.exe
PID 3616 wrote to memory of 1176	3616	processlassosetup64.exe	installhelper.exe
PID 3616 wrote to memory of 1504	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 1504	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 392	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 392	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 3988	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 3988	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 2616	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 2616	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 3480	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 3480	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 3060	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 3060	3616	processlassosetup64.exe	InstallHelper.exe
PID 3616 wrote to memory of 1036	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 1036	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 4480	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 4480	3616	processlassosetup64.exe	installHelper.exe
PID 3616 wrote to memory of 1900	3616	processlassosetup64.exe	installhelper.exe
PID 3616 wrote to memory of 1900	3616	processlassosetup64.exe	installhelper.exe
PID 5092 wrote to memory of 4936	5092	srvstub.exe	processgovernor.exe
PID 5092 wrote to memory of 4936	5092	srvstub.exe	processgovernor.exe
PID 3616 wrote to memory of 560	3616	processlassosetup64.exe	processlasso.exe
PID 3616 wrote to memory of 560	3616	processlassosetup64.exe	processlasso.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\processlassosetup64.exe
"C:\Users\Admin\AppData\Local\Temp\processlassosetup64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3616

C:\Program Files\Process Lasso\installhelper.exe
"C:\Program Files\Process Lasso\installhelper.exe" /terminate
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Program Files\Process Lasso\installHelper.exe
"C:\Program Files\Process Lasso\installHelper.exe" /firstinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Program Files\Process Lasso\installHelper.exe
"C:\Program Files\Process Lasso\installHelper.exe" /migrate
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files\Process Lasso\InstallHelper.exe
"C:\Program Files\Process Lasso\InstallHelper.exe" /powerinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Program Files\Process Lasso\InstallHelper.exe
"C:\Program Files\Process Lasso\InstallHelper.exe" /install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Program Files\Process Lasso\InstallHelper.exe
"C:\Program Files\Process Lasso\InstallHelper.exe" /env_path_install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Program Files\Process Lasso\InstallHelper.exe
"C:\Program Files\Process Lasso\InstallHelper.exe" /enable_update_check
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Program Files\Process Lasso\installHelper.exe
"C:\Program Files\Process Lasso\installHelper.exe" /initconfig
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Program Files\Process Lasso\installHelper.exe
"C:\Program Files\Process Lasso\installHelper.exe" /startgovernorservice
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files\Process Lasso\installhelper.exe
"C:\Program Files\Process Lasso\installhelper.exe" /langcheck
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Process Lasso\processlasso.exe
"C:\Program Files\Process Lasso\processlasso.exe" /install /nodelay /showwindow
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:560

C:\Program Files\Process Lasso\srvstub.exe
"C:\Program Files\Process Lasso\srvstub.exe" "C:\Program Files\Process Lasso\processgovernor.exe" "ProcessGovernor" /exitevent:Global\ProcessGovernorExitEvent
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Program Files\Process Lasso\processgovernor.exe
"C:\Program Files\Process Lasso\processgovernor.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Program Files\Process Lasso\bitsumsessionagent.exe
"C:\Program Files\Process Lasso\bitsumsessionagent.exe" ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4224

C:\Program Files\Process Lasso\ProcessLassoLauncher.exe
"C:\Program Files\Process Lasso\ProcessLassoLauncher.exe" /showwindow /nodelay
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Lasso\InstallHelper.exe

Filesize
764KB

MD5
92abdca748e47cb140160230b54c5a9f

SHA1
9f650c394477c26e9679c928e9292aff491bc460

SHA256
692f402c7f1cd5db5f6e7074e5068e32ca3686bfb6e4896984187230b4291238

SHA512
1868d4b55415c790bc7bc0ae9f85b9892056fe049d9b32b7f14f468aab1169091e15e88d1e808f9ca4e2e545ecf9b3a32ac34de7535ca3a6797adb72f7b5fac5

Download Submit
C:\Program Files\Process Lasso\ProcessGovernor.exe

Filesize
1.2MB

MD5
cfdfe7f0dcfa090e86aec3eac408cb2c

SHA1
58f6aa0cb957c8a93ecbf379313100dfbaf638e9

SHA256
4ef5b4b9664c3ec9a7a8985885322de657275c4a4ce45a2eef3a8f745175b7f1

SHA512
5cac13777d64773acced61b46ef19fb0e4143849423d53a5d2d8a34d098c735121d6268881d8bbae86e600e4365d93c863f396a90cc52c03e4e238951adbbaff

Download Submit
C:\Program Files\Process Lasso\ProcessLasso.exe

Filesize
1.8MB

MD5
8fcf7cf04f9b344724759ee830e97ff7

SHA1
7e89c71637362333246cb6f7b30f34a2b7693407

SHA256
449c423ae1a63259989c85176dcc808f767346944eb40eac270ce27795abc1c2

SHA512
3acc527ac9014db980d4c511fd416e32d627f616eb09559a2c3b0cb038a86eee6adf526488053fd09e34ba66fec6109bc534178e4371147d1b23f29803668759

Download Submit
C:\Program Files\Process Lasso\ProcessLassoLauncher.exe

Filesize
397KB

MD5
ffba9b08c6fb3394e03b57f2fb4cec9a

SHA1
21dfe7d8910159b769c248e56770a1dca9810b8c

SHA256
9048d95e30d8ebe36b248da25ac9df5104c231ec3b0ae83a72ac31b513c13061

SHA512
34fa80088b06566c660b19b4c1bbfcbce3dfbb50485bd9ede097577a2309c4f41afa5086541a87b25bda8b2e745336c135363b615782b84911334c959e921614

Download Submit
C:\Program Files\Process Lasso\bitsumsessionagent.exe

Filesize
177KB

MD5
829167f1f56b6ea1ca6aace9a89bf306

SHA1
466e6793f17b18ca33691ee3f227051614dffd7b

SHA256
f211d0772d13c5258af7ccef5cd7e815a1e40def91c799b061d1b17070694169

SHA512
091486ec463da26dfc04f8ee79b0d7ef5ebdfbe0876723716fcf9f64a620ba0d38461b585e33dffece98966eb10764efeaddf3d452792f787467ae2b7afb6f10

Download Submit
C:\Program Files\Process Lasso\pl_rsrc_english.dll

Filesize
1.9MB

MD5
258063bdcafc8fd2a2a50d9065989ad6

SHA1
ee1bebd8c909d8ebe3b5b6f155c68fc7e6696e31

SHA256
01b75b825eef6092db03156d3e87342a875bfd355a6cf8d9a87365f4c5fda85f

SHA512
b0732da44481e09f38e903fab2bf81447bf661d785631ab2b7421a89b80ef2db38203d85dbea5535c5bb09e8550a2ca737db6c86eac372515ebdf803a59cb5ca

Download Submit
C:\Program Files\Process Lasso\srvstub.exe

Filesize
133KB

MD5
2c17206c6999b783282660a2e063a2e2

SHA1
74ed4d0998a0a7bff251061645992956afa0939d

SHA256
9d628e45c53520fe7b4007a4b0e7f02a45e8622fe6f3e9e7f743725ee813a7e3

SHA512
cbb7b7823f6c78c21046f4c9bdf1e097bb68c17456b1cc0a10076840073ca4e8bb46de550c4aed87e9a0e37908ac214b322f5c3b25dde0bfab9694c895fdfe1a

Download Submit
C:\ProgramData\ProcessLasso\config\prolasso.ini

Filesize
8KB

MD5
24a75fe52d2799fe8f5dd3f8069fd335

SHA1
8f8da9775498c9b8dbc2360d7d5c7c19d7034e1f

SHA256
d1ee39d4b63ce730ec518691e9f9e5cb5752ae06b83acd5abf5a01031164fc04

SHA512
40bffda27b7ce8a690f1af31b91eaff6893db842e1e4c502720027ba00f464b69bff0862265d141477f9956776489d5db7e2650bf50513b63b4ab23a507d072e

Download Submit
C:\ProgramData\ProcessLasso\logs\processlasso.log

Filesize
786B

MD5
06c353ca9b8847ffe2359e8a4a7b995a

SHA1
632b98229ed3b0ccbe8eb825805ae83481c3eb98

SHA256
68e4513a8d37b46d6aa81b4cc8c59381034c350c0046a272aad63e8fc4867710

SHA512
7ec760c864d8fd0951bb3b9b91b680a6377994b7dde4320bb72bde57f44c0562e8450b86b9b20d1ab8b891f6e4e2846c8fc0759b427c0f2982e850534b6d770f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg4940.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg4940.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit