82f873bfd03cc465428949a70260e9dc38aa763f75eab89230561fedf3abdd7b

Resubmissions

12/09/2024, 21:39

240912-1hv5tswhqf 7

12/09/2024, 21:24

240912-z81mkavhnr 7

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Process Lasso 15.0.0.50.exe
Size

4.9MB
MD5

4c3abbc1e424e1d374db1e9d57b6a0a0
SHA1

b028ea67800374322a086f01b4723499a27fcb95
SHA256

25fcc07c9803f0607e4926d36cddeaea01fecd95efcd4c479c13b8a6ec13a472
SHA512

4f5652b9b46a036d1d3ee9e954aa516c4dfd71ab72f73580e7f3b7d4852536212b9e62a6bc4c4dc107a238822aaccb051dfc50e0a3b0a59f0b4e71317a9902d3
SSDEEP

98304:PesI+4xdgLYve208aViDgmRzg7G52QXp1XKlJ+0lfHlg7Nm:XI+4tve7V0gUh5PKlJ+0lfHuNm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3944	Process Lasso 15.0.0.50.tmp
1072	installHelper.exe
1504	installHelper.exe
4272	installHelper.exe
4752	installHelper.exe

Loads dropped DLL 8 IoCs

pid	Process
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
1072	installHelper.exe
1504	installHelper.exe
4272	installHelper.exe
4752	installHelper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_spanish.dll	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_english.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-ECI46.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-4PG5B.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\Insights.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_japanese.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-UTNN4.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-H39LR.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-32V7A.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-36ONQ.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_korean.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-1D4LT.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-NPC3Q.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-OQ7QR.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLasso.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_french.dll	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\testlasso.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_slovenian.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-E27G5.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-PULGF.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-UOJBP.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-UNP1P.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-58KM2.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-34BV8.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-1VI15.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessGovernor.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\LogViewer.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_ptbr.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-FK2LN.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-1DUST.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_bulgarian.dll	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\CPUEater.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\srvstub.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\ThreadRacer.exe	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-E9RFV.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-B2HTV.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-6T4J3.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\InstallHelper.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_finnish.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-7MATN.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-P1I32.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\bitsumsessionagent.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese_traditional.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-D912V.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-BSS4C.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-D28C1.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-C2O1K.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-Q4D0D.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\TweakScheduler.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_italian.dll	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-72D7K.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_polish.dll	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\QuickUpgrade.exe	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-SNESM.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-FKNKE.tmp	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-OJOGC.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_russian.dll	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\vistammsc.exe	Process Lasso 15.0.0.50.tmp
File created	C:\Program Files\Process Lasso\is-L608F.tmp	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLassoLauncher.exe	Process Lasso 15.0.0.50.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_german.dll	Process Lasso 15.0.0.50.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process Lasso 15.0.0.50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process Lasso 15.0.0.50.tmp

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4952	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
1936	msedge.exe
1936	msedge.exe
544	msedge.exe
544	msedge.exe
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
544	msedge.exe
544	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1072	installHelper.exe
Token: SeDebugPrivilege	1072	installHelper.exe
Token: SeChangeNotifyPrivilege	1072	installHelper.exe
Token: SeIncBasePriorityPrivilege	1072	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1072	installHelper.exe
Token: SeProfSingleProcessPrivilege	1072	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1504	installHelper.exe
Token: SeDebugPrivilege	1504	installHelper.exe
Token: SeChangeNotifyPrivilege	1504	installHelper.exe
Token: SeIncBasePriorityPrivilege	1504	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1504	installHelper.exe
Token: SeProfSingleProcessPrivilege	1504	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4272	installHelper.exe
Token: SeDebugPrivilege	4272	installHelper.exe
Token: SeChangeNotifyPrivilege	4272	installHelper.exe
Token: SeIncBasePriorityPrivilege	4272	installHelper.exe
Token: SeIncreaseQuotaPrivilege	4272	installHelper.exe
Token: SeProfSingleProcessPrivilege	4272	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4752	installHelper.exe
Token: SeDebugPrivilege	4752	installHelper.exe
Token: SeChangeNotifyPrivilege	4752	installHelper.exe
Token: SeIncBasePriorityPrivilege	4752	installHelper.exe
Token: SeIncreaseQuotaPrivilege	4752	installHelper.exe
Token: SeProfSingleProcessPrivilege	4752	installHelper.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3944	Process Lasso 15.0.0.50.tmp
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp
3944	Process Lasso 15.0.0.50.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 3944	784	Process Lasso 15.0.0.50.exe	83
PID 784 wrote to memory of 3944	784	Process Lasso 15.0.0.50.exe	83
PID 784 wrote to memory of 3944	784	Process Lasso 15.0.0.50.exe	83
PID 3944 wrote to memory of 4952	3944	Process Lasso 15.0.0.50.tmp	97
PID 3944 wrote to memory of 4952	3944	Process Lasso 15.0.0.50.tmp	97
PID 3944 wrote to memory of 1072	3944	Process Lasso 15.0.0.50.tmp	98
PID 3944 wrote to memory of 1072	3944	Process Lasso 15.0.0.50.tmp	98
PID 3944 wrote to memory of 1504	3944	Process Lasso 15.0.0.50.tmp	99
PID 3944 wrote to memory of 1504	3944	Process Lasso 15.0.0.50.tmp	99
PID 3944 wrote to memory of 4272	3944	Process Lasso 15.0.0.50.tmp	100
PID 3944 wrote to memory of 4272	3944	Process Lasso 15.0.0.50.tmp	100
PID 3944 wrote to memory of 4752	3944	Process Lasso 15.0.0.50.tmp	101
PID 3944 wrote to memory of 4752	3944	Process Lasso 15.0.0.50.tmp	101
PID 3944 wrote to memory of 544	3944	Process Lasso 15.0.0.50.tmp	102
PID 3944 wrote to memory of 544	3944	Process Lasso 15.0.0.50.tmp	102
PID 544 wrote to memory of 4884	544	msedge.exe	103
PID 544 wrote to memory of 4884	544	msedge.exe	103
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1996	544	msedge.exe	104
PID 544 wrote to memory of 1936	544	msedge.exe	105
PID 544 wrote to memory of 1936	544	msedge.exe	105
PID 544 wrote to memory of 1008	544	msedge.exe	106
PID 544 wrote to memory of 1008	544	msedge.exe	106
PID 544 wrote to memory of 1008	544	msedge.exe	106
PID 544 wrote to memory of 1008	544	msedge.exe	106
PID 544 wrote to memory of 1008	544	msedge.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Process Lasso 15.0.0.50.exe
"C:\Users\Admin\AppData\Local\Temp\Process Lasso 15.0.0.50.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\is-7A6BC.tmp\Process Lasso 15.0.0.50.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7A6BC.tmp\Process Lasso 15.0.0.50.tmp" /SL5="$B0066,4792222,60928,C:\Users\Admin\AppData\Local\Temp\Process Lasso 15.0.0.50.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4952
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /firstinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /migrate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /powerinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lrepacks.net/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff951846f8,0x7fff95184708,0x7fff95184718
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:1008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:2332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2252,4120012770104430112,2317238309395385582,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5364 /prefetch:8
      4⤵
      PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Lasso\InstallHelper.exe

Filesize
779KB

MD5
3ea8f7948e1ea9c50558ba1b348058c4

SHA1
e356d354f4593b18bcd3201a0e95e65ec759ec3a

SHA256
fba8a112823359b9921ff396c166a75aee2cb8098da12d3468ff8baf24af2803

SHA512
cfbe97c2563e6a0047251065c26dfa3cad10d4dccbfacc0d60a00f3ce17170659c4af4b9a40a0cb292cdfdb6a6b2cfb5b61f0227a444952606df76b9e9796e29

Download Submit
C:\Program Files\Process Lasso\pl_rsrc_english.dll

Filesize
1.9MB

MD5
83b9b6fb187dd48de9026d9cd6aa5237

SHA1
620fd74c83a7e0431827a38f3dd721a978721c3a

SHA256
4ae449321a4c39be7188e2396cc84fd4f7d5dbd3d8ebf106d2946b255731e0c7

SHA512
246410a10304505eab65f2813f7122731c0987ce2c9faeaa854f211e87e396c451d419185bea2ba006fcd1f870ae49d17565aba28363b2ae8004bf46a690ef54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
8a31783a8edff2301567bc04aeb358f3

SHA1
fa7025990c1c2af50dd41ffaf90f83ed17e16849

SHA256
cae94592944b063413eb0d4a17e96a4ada9219716a2c0f820c7b22387fff3a3d

SHA512
75b60aa7164c8ddff7c62fcf77fdf0d21a60b01754293e6c3200f3532a0e4367c00ec82c3f1dfeb694bc42289e0ee2e82ba1ee922971871163b01bc771def19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
36f614569773488b1992dd83dd1f7894

SHA1
c98982839e5fc3a4e8ce9a4f03b2df33ae85c874

SHA256
7d1a8e7549ba4046d7067da75e6db49a2e2cc4c20b1af0b77a34a29359bb44ec

SHA512
ba42d74f48a895fe6cf761d0098b1ca88fa297abb2a10b3310113ed8a6a3df282ffb988e1bb256d1b911099930ca292b2e8ea1fac748159b364882cd532babbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9543b74057da59b50019fe7e5002b123

SHA1
df099f36f813d79579c81892fe21e7070c377d5e

SHA256
4239bdd5db7f2d496c7bf74bdcb1550bfbed967ea87a86cd43207f4b786e616f

SHA512
db305a27857f974adbb6b4447e2134d62d5cc8547e82991ec7b6ee23c7936bca3d8fd9d46c3b337b575c4ec368c732cc51fdaba217ef3d99b1d809b87b583a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ab896c8f4c4595e834ef2a376737d6a

SHA1
c92bd2e4e82967470c852d0802ea729c07536157

SHA256
e10a87048d77f21b9289d8faefa1ad443362f5c7933fa8576248418452ac09d8

SHA512
81c3e876a65d69d29d3c9b7993cf7ef0a7f7685dbe5a7b26215410443564653576a4f45a8f28ca95f98961a88a3a91eac73c8fa77b25671c747f6af54e097fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f37d2e3172a10699a3a30dfc214b9f4f

SHA1
13bf4ecd588eae65b04cce43193c48695f3f88ad

SHA256
e80f3e610eb129e131697d8844c3eb87f6afae648dd64b8d8f768a6eb8c205fa

SHA512
5e1a8f382ed6ed25208dcaaa339074b3643385a47fa0c68b62babbb4de2c1d838aee27a0d1f56fc861238c3d06d5ba42a36d62100260e5f387b3494e877fd661

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4QQIP.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4QQIP.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7A6BC.tmp\Process Lasso 15.0.0.50.tmp

Filesize
907KB

MD5
3754a5eb2b26e9b6a89bd0690718351a

SHA1
5356815f88cbcc512c74b401c5b1c89f8e950944

SHA256
2006b2b4d5eb64722f0bba35380057c9556a7e8bd4bf95b92cd68d84ba255be6

SHA512
9ad991d58a60924650523f3e59a02389a7e729fbf73a0b20479c590375f40f041e0a7101604d7305ef8d7a8d57ba53e8823a75aa27441757881c604236ab0bec

Download Submit
memory/784-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/784-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3944-68-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-42-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-79-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3944-78-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-77-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-70-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3944-65-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-64-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/3944-63-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-62-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-61-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/3944-60-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-59-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-58-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3944-57-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-56-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-55-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3944-54-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-50-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-76-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3944-75-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-74-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-73-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/3944-72-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-71-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-69-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-81-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-67-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/3944-66-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-45-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-52-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3944-51-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-49-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3944-43-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3944-87-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-80-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-41-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-48-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-47-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-88-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-40-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/3944-39-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-90-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-89-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-36-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-34-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/3944-44-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-38-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-37-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/3944-28-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/3944-33-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-32-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-31-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3944-30-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-29-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-27-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-26-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-91-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-82-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/3944-83-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-84-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-53-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-25-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/3944-94-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-254-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3944-46-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3944-35-0x00000000077B0000-0x00000000078F0000-memory.dmp

Filesize
1.2MB

Download
memory/3944-23-0x0000000007490000-0x00000000077AA000-memory.dmp

Filesize
3.1MB

Download
memory/3944-17-0x0000000007260000-0x0000000007276000-memory.dmp

Filesize
88KB

Download
memory/3944-9-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download