Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 23:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
in4.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
in4.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
in4.exe
-
Size
32KB
-
MD5
1186bb7e1df9e13bf138d9d729e067f2
-
SHA1
5aaf54b08c0b5355b5960b246bf1b886084246a4
-
SHA256
7138719c72f24985681569d1137ac7a636efe47b4a9514c73af585204f6c94d7
-
SHA512
a75a4af0a22f9e8fc863be95174b584bbcd83067ec00250bbf234ea078569e38944f2449c526f47e8fca0ed8d575332d80a475cb99956a6772f2e524e7d9f67d
-
SSDEEP
384:8vt7vYMOmlpjVnvkAyyx7rh6oo+X4lj/jmeGKn9NIwKAgN:03VfyU/h6op4ljrmBKuA
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5796 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 lass.exe 2440 lass.exe 1436 lass.exe 2932 lass.exe 2936 lass.exe 2212 lass.exe 1820 lass.exe 2752 lass.exe 2844 lass.exe 2896 lass.exe 2848 lass.exe 2828 lass.exe 2748 lass.exe 2632 lass.exe 2688 lass.exe 2756 lass.exe 336 lass.exe 2592 lass.exe 2616 lass.exe 2980 lass.exe 1728 lass.exe 2084 lass.exe 1168 lass.exe 2136 lass.exe 2500 lass.exe 2920 lass.exe 2816 lass.exe 2968 lass.exe 2984 lass.exe 2736 lass.exe 3020 lass.exe 3048 lass.exe 3044 lass.exe 2956 lass.exe 1332 lass.exe 784 lass.exe 2892 lass.exe 2908 lass.exe 3016 lass.exe 2924 lass.exe 848 lass.exe 264 lass.exe 1984 lass.exe 2220 lass.exe 2732 lass.exe 2468 lass.exe 2408 lass.exe 2840 lass.exe 2152 lass.exe 936 lass.exe 1476 lass.exe 324 lass.exe 2216 lass.exe 1944 lass.exe 1380 lass.exe 1800 lass.exe 2824 lass.exe 2280 lass.exe 2304 lass.exe 2184 lass.exe 1912 lass.exe 2284 lass.exe 1968 lass.exe 2180 lass.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 in4.exe 2348 in4.exe 2972 lass.exe 2972 lass.exe 2440 lass.exe 2440 lass.exe 1436 lass.exe 1436 lass.exe 2932 lass.exe 2932 lass.exe 2936 lass.exe 2936 lass.exe 2212 lass.exe 2212 lass.exe 1820 lass.exe 1820 lass.exe 2752 lass.exe 2752 lass.exe 2844 lass.exe 2844 lass.exe 2896 lass.exe 2896 lass.exe 2848 lass.exe 2848 lass.exe 2828 lass.exe 2828 lass.exe 2748 lass.exe 2748 lass.exe 2632 lass.exe 2632 lass.exe 2688 lass.exe 2688 lass.exe 2756 lass.exe 2756 lass.exe 336 lass.exe 336 lass.exe 2592 lass.exe 2592 lass.exe 2616 lass.exe 2616 lass.exe 2980 lass.exe 2980 lass.exe 1728 lass.exe 1728 lass.exe 2084 lass.exe 2084 lass.exe 1168 lass.exe 1168 lass.exe 2136 lass.exe 2136 lass.exe 2500 lass.exe 2500 lass.exe 2920 lass.exe 2920 lass.exe 2816 lass.exe 2816 lass.exe 2968 lass.exe 2968 lass.exe 2984 lass.exe 2984 lass.exe 2736 lass.exe 2736 lass.exe 3020 lass.exe 3020 lass.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe Process not Found File created C:\Windows\SysWOW64\lass.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2348 in4.exe Token: SeIncBasePriorityPrivilege 2972 lass.exe Token: SeIncBasePriorityPrivilege 2440 lass.exe Token: SeIncBasePriorityPrivilege 1436 lass.exe Token: SeIncBasePriorityPrivilege 2932 lass.exe Token: SeIncBasePriorityPrivilege 2936 lass.exe Token: SeIncBasePriorityPrivilege 2212 lass.exe Token: SeIncBasePriorityPrivilege 1820 lass.exe Token: SeIncBasePriorityPrivilege 2752 lass.exe Token: SeIncBasePriorityPrivilege 2844 lass.exe Token: SeIncBasePriorityPrivilege 2896 lass.exe Token: SeIncBasePriorityPrivilege 2848 lass.exe Token: SeIncBasePriorityPrivilege 2828 lass.exe Token: SeIncBasePriorityPrivilege 2748 lass.exe Token: SeIncBasePriorityPrivilege 2632 lass.exe Token: SeIncBasePriorityPrivilege 2688 lass.exe Token: SeIncBasePriorityPrivilege 2756 lass.exe Token: SeIncBasePriorityPrivilege 2592 lass.exe Token: SeIncBasePriorityPrivilege 336 lass.exe Token: SeIncBasePriorityPrivilege 2616 lass.exe Token: SeIncBasePriorityPrivilege 2980 lass.exe Token: SeIncBasePriorityPrivilege 1728 lass.exe Token: SeIncBasePriorityPrivilege 2084 lass.exe Token: SeIncBasePriorityPrivilege 1168 lass.exe Token: SeIncBasePriorityPrivilege 2136 lass.exe Token: SeIncBasePriorityPrivilege 2500 lass.exe Token: SeIncBasePriorityPrivilege 2920 lass.exe Token: SeIncBasePriorityPrivilege 2816 lass.exe Token: SeIncBasePriorityPrivilege 2968 lass.exe Token: SeIncBasePriorityPrivilege 2984 lass.exe Token: SeIncBasePriorityPrivilege 2736 lass.exe Token: SeIncBasePriorityPrivilege 3020 lass.exe Token: SeIncBasePriorityPrivilege 3048 lass.exe Token: SeIncBasePriorityPrivilege 3044 lass.exe Token: SeIncBasePriorityPrivilege 2956 lass.exe Token: SeIncBasePriorityPrivilege 1332 lass.exe Token: SeIncBasePriorityPrivilege 784 lass.exe Token: SeIncBasePriorityPrivilege 2892 lass.exe Token: SeIncBasePriorityPrivilege 2908 lass.exe Token: SeIncBasePriorityPrivilege 3016 lass.exe Token: SeIncBasePriorityPrivilege 2924 lass.exe Token: SeIncBasePriorityPrivilege 848 lass.exe Token: SeIncBasePriorityPrivilege 264 lass.exe Token: SeIncBasePriorityPrivilege 1984 lass.exe Token: SeIncBasePriorityPrivilege 2220 lass.exe Token: SeIncBasePriorityPrivilege 2732 lass.exe Token: SeIncBasePriorityPrivilege 2468 lass.exe Token: SeIncBasePriorityPrivilege 2408 lass.exe Token: SeIncBasePriorityPrivilege 2840 lass.exe Token: SeIncBasePriorityPrivilege 2152 lass.exe Token: SeIncBasePriorityPrivilege 936 lass.exe Token: SeIncBasePriorityPrivilege 1476 lass.exe Token: SeIncBasePriorityPrivilege 324 lass.exe Token: SeIncBasePriorityPrivilege 2216 lass.exe Token: SeIncBasePriorityPrivilege 1944 lass.exe Token: SeIncBasePriorityPrivilege 1380 lass.exe Token: SeIncBasePriorityPrivilege 1800 lass.exe Token: SeIncBasePriorityPrivilege 2824 lass.exe Token: SeIncBasePriorityPrivilege 2280 lass.exe Token: SeIncBasePriorityPrivilege 2304 lass.exe Token: SeIncBasePriorityPrivilege 2184 lass.exe Token: SeIncBasePriorityPrivilege 1912 lass.exe Token: SeIncBasePriorityPrivilege 2284 lass.exe Token: SeIncBasePriorityPrivilege 1968 lass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2972 2348 in4.exe 29 PID 2348 wrote to memory of 2972 2348 in4.exe 29 PID 2348 wrote to memory of 2972 2348 in4.exe 29 PID 2348 wrote to memory of 2972 2348 in4.exe 29 PID 2972 wrote to memory of 2440 2972 lass.exe 30 PID 2972 wrote to memory of 2440 2972 lass.exe 30 PID 2972 wrote to memory of 2440 2972 lass.exe 30 PID 2972 wrote to memory of 2440 2972 lass.exe 30 PID 2440 wrote to memory of 1436 2440 lass.exe 31 PID 2440 wrote to memory of 1436 2440 lass.exe 31 PID 2440 wrote to memory of 1436 2440 lass.exe 31 PID 2440 wrote to memory of 1436 2440 lass.exe 31 PID 1436 wrote to memory of 2932 1436 lass.exe 32 PID 1436 wrote to memory of 2932 1436 lass.exe 32 PID 1436 wrote to memory of 2932 1436 lass.exe 32 PID 1436 wrote to memory of 2932 1436 lass.exe 32 PID 2932 wrote to memory of 2936 2932 lass.exe 33 PID 2932 wrote to memory of 2936 2932 lass.exe 33 PID 2932 wrote to memory of 2936 2932 lass.exe 33 PID 2932 wrote to memory of 2936 2932 lass.exe 33 PID 2936 wrote to memory of 2212 2936 lass.exe 34 PID 2936 wrote to memory of 2212 2936 lass.exe 34 PID 2936 wrote to memory of 2212 2936 lass.exe 34 PID 2936 wrote to memory of 2212 2936 lass.exe 34 PID 2212 wrote to memory of 1820 2212 lass.exe 35 PID 2212 wrote to memory of 1820 2212 lass.exe 35 PID 2212 wrote to memory of 1820 2212 lass.exe 35 PID 2212 wrote to memory of 1820 2212 lass.exe 35 PID 1820 wrote to memory of 2752 1820 lass.exe 36 PID 1820 wrote to memory of 2752 1820 lass.exe 36 PID 1820 wrote to memory of 2752 1820 lass.exe 36 PID 1820 wrote to memory of 2752 1820 lass.exe 36 PID 2752 wrote to memory of 2844 2752 lass.exe 37 PID 2752 wrote to memory of 2844 2752 lass.exe 37 PID 2752 wrote to memory of 2844 2752 lass.exe 37 PID 2752 wrote to memory of 2844 2752 lass.exe 37 PID 2844 wrote to memory of 2896 2844 lass.exe 38 PID 2844 wrote to memory of 2896 2844 lass.exe 38 PID 2844 wrote to memory of 2896 2844 lass.exe 38 PID 2844 wrote to memory of 2896 2844 lass.exe 38 PID 2896 wrote to memory of 2848 2896 lass.exe 39 PID 2896 wrote to memory of 2848 2896 lass.exe 39 PID 2896 wrote to memory of 2848 2896 lass.exe 39 PID 2896 wrote to memory of 2848 2896 lass.exe 39 PID 2848 wrote to memory of 2828 2848 lass.exe 40 PID 2848 wrote to memory of 2828 2848 lass.exe 40 PID 2848 wrote to memory of 2828 2848 lass.exe 40 PID 2848 wrote to memory of 2828 2848 lass.exe 40 PID 2828 wrote to memory of 2748 2828 lass.exe 41 PID 2828 wrote to memory of 2748 2828 lass.exe 41 PID 2828 wrote to memory of 2748 2828 lass.exe 41 PID 2828 wrote to memory of 2748 2828 lass.exe 41 PID 2748 wrote to memory of 2632 2748 lass.exe 42 PID 2748 wrote to memory of 2632 2748 lass.exe 42 PID 2748 wrote to memory of 2632 2748 lass.exe 42 PID 2748 wrote to memory of 2632 2748 lass.exe 42 PID 2632 wrote to memory of 2688 2632 lass.exe 43 PID 2632 wrote to memory of 2688 2632 lass.exe 43 PID 2632 wrote to memory of 2688 2632 lass.exe 43 PID 2632 wrote to memory of 2688 2632 lass.exe 43 PID 2688 wrote to memory of 2756 2688 lass.exe 44 PID 2688 wrote to memory of 2756 2688 lass.exe 44 PID 2688 wrote to memory of 2756 2688 lass.exe 44 PID 2688 wrote to memory of 2756 2688 lass.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\in4.exe"C:\Users\Admin\AppData\Local\Temp\in4.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:264 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe65⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe66⤵PID:2260
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe67⤵PID:2204
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe68⤵PID:2188
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe69⤵PID:2572
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe70⤵PID:2164
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe71⤵PID:2088
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe72⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe73⤵PID:1720
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe74⤵PID:2580
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe75⤵PID:2536
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe76⤵PID:2308
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe77⤵PID:2568
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe78⤵PID:1000
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe79⤵PID:816
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe80⤵PID:2452
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe81⤵PID:1976
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe82⤵PID:2160
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe83⤵PID:1668
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe84⤵PID:1044
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe85⤵PID:2376
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe86⤵PID:2524
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe87⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe88⤵PID:1732
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe89⤵PID:2024
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe90⤵PID:1484
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe91⤵PID:432
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe92⤵PID:616
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe93⤵PID:568
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe94⤵PID:2040
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe95⤵PID:2496
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe96⤵PID:1996
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe97⤵PID:856
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe98⤵PID:688
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe99⤵PID:1716
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe100⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe101⤵PID:1488
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe102⤵PID:2104
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe103⤵PID:1464
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe104⤵PID:1792
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe105⤵PID:680
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe106⤵PID:3028
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe107⤵PID:840
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe108⤵PID:2432
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe109⤵PID:1208
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe110⤵PID:1140
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe111⤵PID:1336
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe112⤵PID:2148
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe113⤵PID:1588
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe114⤵PID:912
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe115⤵PID:3052
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe116⤵PID:2716
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe117⤵PID:1956
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe118⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe119⤵PID:1468
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe120⤵PID:1624
-
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe121⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-