cc00f4cf49623023e6a13a500fda644a1d39703677b2abe0b73b4ccdf7e87c93

Analysis

max time kernel
96s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-01-2025 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chloride Tweaks Ultimate 2.0.0/3 Tweaks/6 Proccess Lasso/processlassosetup64.exe
Size

2.3MB
MD5

d29fef939e8952ea60da440c4881a236
SHA1

3de01562c7f57e2216dc3315d04688861210b15c
SHA256

7247a6e2873021dc5b8bf50862e8b0e703b1fac27f2bf78d81e1753d7057d2d8
SHA512

e9e6da092a277d63a125031308e959d1d6760a7aa3b010fc1da23db1d230854821a27d158b2ef305d3a22b04aa18bae8f9a59939660e5f6afa9b4f84a3b4651f
SSDEEP

49152:Zo5YlYTImfx46GfaAjZMzXCeOe4g/yWRiJxfOLA769jtYNESu4fg9Q/E:PlYTXu6GasAXTcg/y4iJU9jtMRg9Q8

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File created	C:\Program Files\Process Lasso\vistammsc.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\QuickUpgrade.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_chinese_traditional.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\plActivate.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\uninstall.exe	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_english.dll	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso\processlasso.exe	installhelper.exe
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_english.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\.docs_fmt0	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\TweakScheduler.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_russian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\.logtype9	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso\.logtype9	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ProcessGovernor.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\CPUEater.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_polish.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl.cmd	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\srvstub.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ProcessLassoLauncher.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\Insights.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_french.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_ptbr.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_japanese.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_slovenian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_spanish.dll	processlassosetup64.exe
File opened for modification	C:\Program Files\Process Lasso\bitsumsessionagent.exe	installhelper.exe
File created	C:\Program Files\Process Lasso\ProcessLasso.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_finnish.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_chinese.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\InstallHelper.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\bitsumms.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\bitsumsessionagent.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\testlasso.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\LogViewer.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\ThreadRacer.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\bcleaner.exe	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_german.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl_rsrc_italian.dll	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\start-governor.bat	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\stop-governor.bat	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\pl-update.cmd	processlassosetup64.exe
File created	C:\Program Files\Process Lasso\LICENSES	processlassosetup64.exe

Executes dropped EXE 21 IoCs

pid	Process
3796	installhelper.exe
2420	installHelper.exe
1600	installHelper.exe
4436	InstallHelper.exe
64	InstallHelper.exe
1984	bitsumms.exe
3940	bitsumms.exe
2104	bitsumms.exe
4776	bitsumms.exe
3096	InstallHelper.exe
2140	InstallHelper.exe
4320	installhelper.exe
2304	bitsumms.exe
532	bitsumms.exe
3604	bitsumms.exe
4316	bitsumms.exe
2040	bitsumms.exe
4532	srvstub.exe
1924	processgovernor.exe
3800	bitsumms.exe
1716	processlasso.exe

Loads dropped DLL 12 IoCs

pid	Process
2992	processlassosetup64.exe
2992	processlassosetup64.exe
3796	installhelper.exe
2420	installHelper.exe
1600	installHelper.exe
4436	InstallHelper.exe
64	InstallHelper.exe
3096	InstallHelper.exe
2140	InstallHelper.exe
4320	installhelper.exe
1924	processgovernor.exe
1924	processgovernor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processlassosetup64.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processgovernor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processgovernor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\C:\Program Files\Process Lasso\ProcessGovernor.exe = "1"	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\InstallerLanguageDWORD = "1033"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\C:\Program Files\Process Lasso\ProcessLasso.exe = "1"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso	processgovernor.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\ProcessLasso = 09040000	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\Language = "1033"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	processgovernor.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3796	installhelper.exe
3796	installhelper.exe
3796	installhelper.exe
4320	installhelper.exe
4320	installhelper.exe
4320	installhelper.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3796	installhelper.exe
Token: SeDebugPrivilege	3796	installhelper.exe
Token: SeChangeNotifyPrivilege	3796	installhelper.exe
Token: SeIncBasePriorityPrivilege	3796	installhelper.exe
Token: SeIncreaseQuotaPrivilege	3796	installhelper.exe
Token: SeProfSingleProcessPrivilege	3796	installhelper.exe
Token: SeAssignPrimaryTokenPrivilege	2420	installHelper.exe
Token: SeDebugPrivilege	2420	installHelper.exe
Token: SeChangeNotifyPrivilege	2420	installHelper.exe
Token: SeIncBasePriorityPrivilege	2420	installHelper.exe
Token: SeIncreaseQuotaPrivilege	2420	installHelper.exe
Token: SeProfSingleProcessPrivilege	2420	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1600	installHelper.exe
Token: SeDebugPrivilege	1600	installHelper.exe
Token: SeChangeNotifyPrivilege	1600	installHelper.exe
Token: SeIncBasePriorityPrivilege	1600	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1600	installHelper.exe
Token: SeProfSingleProcessPrivilege	1600	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4436	InstallHelper.exe
Token: SeDebugPrivilege	4436	InstallHelper.exe
Token: SeChangeNotifyPrivilege	4436	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	4436	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	4436	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	4436	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	64	InstallHelper.exe
Token: SeDebugPrivilege	64	InstallHelper.exe
Token: SeChangeNotifyPrivilege	64	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	64	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	64	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	64	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3096	InstallHelper.exe
Token: SeDebugPrivilege	3096	InstallHelper.exe
Token: SeChangeNotifyPrivilege	3096	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	3096	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	3096	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	3096	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	2140	InstallHelper.exe
Token: SeDebugPrivilege	2140	InstallHelper.exe
Token: SeChangeNotifyPrivilege	2140	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	2140	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	2140	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	2140	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4320	installhelper.exe
Token: SeDebugPrivilege	4320	installhelper.exe
Token: SeChangeNotifyPrivilege	4320	installhelper.exe
Token: SeIncBasePriorityPrivilege	4320	installhelper.exe
Token: SeIncreaseQuotaPrivilege	4320	installhelper.exe
Token: SeProfSingleProcessPrivilege	4320	installhelper.exe
Token: SeAssignPrimaryTokenPrivilege	4532	srvstub.exe
Token: SeCreateGlobalPrivilege	4532	srvstub.exe
Token: SeAssignPrimaryTokenPrivilege	1924	processgovernor.exe
Token: SeDebugPrivilege	1924	processgovernor.exe
Token: SeChangeNotifyPrivilege	1924	processgovernor.exe
Token: SeIncBasePriorityPrivilege	1924	processgovernor.exe
Token: SeIncreaseQuotaPrivilege	1924	processgovernor.exe
Token: SeProfSingleProcessPrivilege	1924	processgovernor.exe
Token: SeCreateGlobalPrivilege	1924	processgovernor.exe
Token: SeBackupPrivilege	1924	processgovernor.exe
Token: SeRestorePrivilege	1924	processgovernor.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3796	2992	processlassosetup64.exe	88
PID 2992 wrote to memory of 3796	2992	processlassosetup64.exe	88
PID 2992 wrote to memory of 2420	2992	processlassosetup64.exe	90
PID 2992 wrote to memory of 2420	2992	processlassosetup64.exe	90
PID 2992 wrote to memory of 1600	2992	processlassosetup64.exe	91
PID 2992 wrote to memory of 1600	2992	processlassosetup64.exe	91
PID 2992 wrote to memory of 4436	2992	processlassosetup64.exe	92
PID 2992 wrote to memory of 4436	2992	processlassosetup64.exe	92
PID 2992 wrote to memory of 64	2992	processlassosetup64.exe	93
PID 2992 wrote to memory of 64	2992	processlassosetup64.exe	93
PID 64 wrote to memory of 1984	64	InstallHelper.exe	94
PID 64 wrote to memory of 1984	64	InstallHelper.exe	94
PID 64 wrote to memory of 3940	64	InstallHelper.exe	95
PID 64 wrote to memory of 3940	64	InstallHelper.exe	95
PID 64 wrote to memory of 2104	64	InstallHelper.exe	96
PID 64 wrote to memory of 2104	64	InstallHelper.exe	96
PID 64 wrote to memory of 4776	64	InstallHelper.exe	97
PID 64 wrote to memory of 4776	64	InstallHelper.exe	97
PID 2992 wrote to memory of 3096	2992	processlassosetup64.exe	98
PID 2992 wrote to memory of 3096	2992	processlassosetup64.exe	98
PID 2992 wrote to memory of 2140	2992	processlassosetup64.exe	99
PID 2992 wrote to memory of 2140	2992	processlassosetup64.exe	99
PID 2992 wrote to memory of 4320	2992	processlassosetup64.exe	100
PID 2992 wrote to memory of 4320	2992	processlassosetup64.exe	100
PID 4320 wrote to memory of 2304	4320	installhelper.exe	102
PID 4320 wrote to memory of 2304	4320	installhelper.exe	102
PID 4320 wrote to memory of 532	4320	installhelper.exe	103
PID 4320 wrote to memory of 532	4320	installhelper.exe	103
PID 4320 wrote to memory of 3604	4320	installhelper.exe	104
PID 4320 wrote to memory of 3604	4320	installhelper.exe	104
PID 4320 wrote to memory of 4316	4320	installhelper.exe	105
PID 4320 wrote to memory of 4316	4320	installhelper.exe	105
PID 4320 wrote to memory of 2040	4320	installhelper.exe	106
PID 4320 wrote to memory of 2040	4320	installhelper.exe	106
PID 4320 wrote to memory of 3800	4320	installhelper.exe	109
PID 4320 wrote to memory of 3800	4320	installhelper.exe	109
PID 4532 wrote to memory of 1924	4532	srvstub.exe	108
PID 4532 wrote to memory of 1924	4532	srvstub.exe	108
PID 2992 wrote to memory of 1716	2992	processlassosetup64.exe	110
PID 2992 wrote to memory of 1716	2992	processlassosetup64.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\3 Tweaks\6 Proccess Lasso\processlassosetup64.exe
"C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\3 Tweaks\6 Proccess Lasso\processlassosetup64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files\Process Lasso\installhelper.exe
  "C:\Program Files\Process Lasso\installhelper.exe" /terminate
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Program Files\Process Lasso\installHelper.exe
  "C:\Program Files\Process Lasso\installHelper.exe" /firstinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Program Files\Process Lasso\installHelper.exe
  "C:\Program Files\Process Lasso\installHelper.exe" /migrate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Program Files\Process Lasso\InstallHelper.exe
  "C:\Program Files\Process Lasso\InstallHelper.exe" /powerinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Program Files\Process Lasso\InstallHelper.exe
  "C:\Program Files\Process Lasso\InstallHelper.exe" /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /stop
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessLassoGovernor /remove
    3⤵
    - Executes dropped EXE
    PID:3940
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /stop
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /remove
    3⤵
    - Executes dropped EXE
    PID:4776
- C:\Program Files\Process Lasso\InstallHelper.exe
  "C:\Program Files\Process Lasso\InstallHelper.exe" /env_path_install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Program Files\Process Lasso\InstallHelper.exe
  "C:\Program Files\Process Lasso\InstallHelper.exe" /enable_update_check
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Program Files\Process Lasso\installhelper.exe
  "C:\Program Files\Process Lasso\installhelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /stop
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /remove
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /stop
    3⤵
    - Executes dropped EXE
    PID:3604
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /remove
    3⤵
    - Executes dropped EXE
    PID:4316
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" "C:\Program Files\Process Lasso\processgovernor.exe" /name:ProcessGovernor "/displayname:Process Lasso Core (Process Governor)" /exitevent:Global\ProcessGovernorExitEvent
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Program Files\Process Lasso\bitsumms.exe
    "C:\Program Files\Process Lasso\bitsumms.exe" /name:ProcessGovernor /stop
    3⤵
    - Executes dropped EXE
    PID:3800
- C:\Program Files\Process Lasso\processlasso.exe
  "C:\Program Files\Process Lasso\processlasso.exe" /install /nodelay /showwindow
  2⤵
  - Executes dropped EXE
  PID:1716

C:\Program Files\Process Lasso\srvstub.exe
"C:\Program Files\Process Lasso\srvstub.exe" "C:\Program Files\Process Lasso\processgovernor.exe" "ProcessGovernor" /exitevent:Global\ProcessGovernorExitEvent
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files\Process Lasso\processgovernor.exe
  "C:\Program Files\Process Lasso\processgovernor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Lasso\InstallHelper.exe

Filesize
918KB

MD5
c699e322b45aa80fd4825b0becc11ede

SHA1
10e59d678678cf4c233adce43db6378d35323c70

SHA256
323f88b4bfddaaf769f1e954820de53c136ff2330b1a955f558eeae88cdab1bc

SHA512
84427a87cadfff9bec6c2f4814a4dd16a9216065d0b6a22e6a302ccf0a80a679cbf3c2ed3ad8ad6c37aafba49758e0aa06eafb7c3ac4b1fb0ca5922f55171ba6

Download Submit
C:\Program Files\Process Lasso\ProcessGovernor.exe

Filesize
1.1MB

MD5
5edc206ddd848aa6359248b547ffdd54

SHA1
f1cea41710402b253dd373711ee1379c903f2018

SHA256
1fc74fd28461e9ccba9b855b8aa883a346abcb8285c390da427cd32e901f516e

SHA512
577590ae90490446777ca62cfa6f708c9a94650b23c1cc5eced82a2a0a7ec8d6285b33cfe7a17056861f1722c88fd04ad246ced081524d86dc4ab8b540473542

Download Submit
C:\Program Files\Process Lasso\ProcessLasso.exe

Filesize
1.6MB

MD5
0828c558d470e53e1200a4a5f091bacc

SHA1
cf7710dd22be6564d38590b162bc9509bf80198c

SHA256
c172b81f67cdf6a6b5db3cd398411bfd0782c5f2c2ea25065dcb4504e5cd5ad5

SHA512
efbd39b8c31d04e06f5c548ea6558801ba82f08f62be79b8ffe5f0cbc8654e9df5fbf80065e2cdf79682ef9d0842a6503bc0291e4a50e4f48f4f1fc9c5a77c11

Download Submit
C:\Program Files\Process Lasso\ProcessLassoLauncher.exe

Filesize
379KB

MD5
a56ae828b70b523e0d5091a786b2f0a7

SHA1
7c00cb98cfcd50fe730548de23d66665fe490cb2

SHA256
8fd055208f8750357fe34db5b3ee7838e492ee5ebc7bb02e14f5ac2d4938fe9f

SHA512
5b303a701d107a78d9d465946d7ac0a8371fe6ff32d6cdfcb8460bc5162dc7d97778afa8835e73639ca533145b70090105038380981096b5035734f146d451ca

Download Submit
C:\Program Files\Process Lasso\bitsumms.exe

Filesize
295KB

MD5
78bce25234eb7673d8af806d7fa15a19

SHA1
ab710f2afe1f267f75927c1f90d686e45af62656

SHA256
b211ad8583e130d1576d6fff97bac9b544a031c3a3041bab82bd503fbf0928e9

SHA512
f526371c7580a5a9b48310a9175dc44ee3661f89af46f71af6a40cf9f06c97c3a3149b6a02519269838ebd582a17cfe7811fc1f1bccef2043285df7d59e88088

Download Submit
C:\Program Files\Process Lasso\pl_rsrc_english.dll

Filesize
1.9MB

MD5
3aeb2782cd96b1a1a9803ef788724609

SHA1
d828f1d0620e8b45d9e80d653fecdfd071abaa6c

SHA256
8773a97f445babb870cbd5736668a4eae253475d61947ac1f103980fce7083c2

SHA512
6e477ea5aaa86f9cfe50c7bb456ab9f78cc7b1602ae9831a63f328b7fd0705a008c0d91581904b417f07c2988cc58af2d0769a04d4d0f05e59460c629e1ad757

Download Submit
C:\Program Files\Process Lasso\srvstub.exe

Filesize
125KB

MD5
412df379e7efd4ecdba21a17e931deb9

SHA1
f670dd7e8d6051d9796ba7a98ce04770b85734ad

SHA256
b17eda83e4a9b458492588d7302ee50964ccca06e230b0d5f8c46dde7bcb1b01

SHA512
6c8825550057dc555052256623457b07ccd918ed20f4d0ff4e4fdfac4f007401cff3aa9444a839f31dbe5af3030854ae667278dbbc34735f5b28e790218eea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC1EA.tmp\LangDLL.dll

Filesize
5KB

MD5
ab1db56369412fe8476fefffd11e4cc0

SHA1
daad036a83b2ee2fa86d840a34a341100552e723

SHA256
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

SHA512
8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC1EA.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit