Loading ...

Play interactive tourEdit tour

Analysis Report lazagne.exe

Overview

General Information

Sample Name:lazagne.exe
Analysis ID:383853
MD5:68d3bf2c363144ec6874ab360fdda00a
SHA1:fa2f281fd4009100b2293e120997bfd7feb10c16
SHA256:ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56
Infos:

Most interesting Screenshot:

Detection

LaZagne
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected LaZagne password dumper
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • lazagne.exe (PID: 2960 cmdline: 'C:\Users\user\Desktop\lazagne.exe' MD5: 68D3BF2C363144EC6874AB360FDDA00A)
    • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • lazagne.exe (PID: 5068 cmdline: 'C:\Users\user\Desktop\lazagne.exe' MD5: 68D3BF2C363144EC6874AB360FDDA00A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
lazagne.exeHKTL_Lazagne_PasswordDumper_Dec18_1Detects password dumper Lazagne often used by middle eastern threat groupsFlorian Roth
  • 0x64f469:$s3: config.dico(
lazagne.exeHKTL_Lazagne_Gen_18Detects Lazagne password extractor hacktoolFlorian Roth
  • 0x650dce:$x2: creddump7.win32.
  • 0x650e26:$x2: creddump7.win32.
  • 0x650e7a:$x2: creddump7.win32.
  • 0x650ed0:$x2: creddump7.win32.
  • 0x650f90:$x3: lazagne.softwares.windows.hashdump
  • 0x65029d:$x4: .softwares.memory.libkeepass.common(

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.240709297.00000213FE219000.00000004.00000001.sdmpmimikatzmimikatzBenjamin DELPY (gentilkiwi)
  • 0x726b0:$exe_x86_1: 89 71 04 89 30 8D 04 BD
  • 0x726e0:$exe_x86_2: 8B 4D E4 8B 45 F4 89 75 E8 89 01 85 FF 74
  • 0x72710:$exe_x86_2: 8B 4D E8 8B 45 F4 89 75 EC 89 01 85 FF 74
  • 0x72620:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
  • 0x72680:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
  • 0x72560:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000002.00000003.241129849.00000213FE24F000.00000004.00000001.sdmpmimikatzmimikatzBenjamin DELPY (gentilkiwi)
  • 0x3c6b0:$exe_x86_1: 89 71 04 89 30 8D 04 BD
  • 0x3c6e0:$exe_x86_2: 8B 4D E4 8B 45 F4 89 75 E8 89 01 85 FF 74
  • 0x3c710:$exe_x86_2: 8B 4D E8 8B 45 F4 89 75 EC 89 01 85 FF 74
  • 0x3c620:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
  • 0x3c680:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
  • 0x3c560:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000002.00000002.250605467.00000213FE257000.00000004.00000001.sdmpmimikatzmimikatzBenjamin DELPY (gentilkiwi)
  • 0x346b0:$exe_x86_1: 89 71 04 89 30 8D 04 BD
  • 0x346e0:$exe_x86_2: 8B 4D E4 8B 45 F4 89 75 E8 89 01 85 FF 74
  • 0x34710:$exe_x86_2: 8B 4D E8 8B 45 F4 89 75 EC 89 01 85 FF 74
  • 0x34620:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
  • 0x34680:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
  • 0x34560:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpJoeSecurity_LaZagneYara detected LaZagne password dumperJoe Security
    00000002.00000003.241551429.00000213FDA6E000.00000004.00000001.sdmpJoeSecurity_LaZagneYara detected LaZagne password dumperJoe Security
      Click to see the 5 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: lazagne.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: lazagne.exeVirustotal: Detection: 61%Perma Link
      Source: lazagne.exeMetadefender: Detection: 27%Perma Link
      Source: lazagne.exeReversingLabs: Detection: 71%
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501FF0B0 CryptGenRandom,2_2_501FF0B0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501FBD00 free,TlsFree,CryptReleaseContext,2_2_501FBD00
      Source: lazagne.exe, 00000002.00000002.246611759.00000213FD517000.00000004.00000001.sdmpBinary or memory string: The contents of the file before the "-----BEGIN PUBLIC KEY-----" and
      Source: C:\Users\user\Desktop\lazagne.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_MEI29602\msvcr100.dllJump to behavior
      Source: lazagne.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_socket.pdb source: lazagne.exe, 00000000.00000003.233199869.000001CC75AF7000.00000004.00000001.sdmp, _socket.pyd.0.dr
      Source: Binary string: O:\src\pywin32\build\temp.win-amd64-2.7\Release\pywintypes.pdb source: lazagne.exe, 00000000.00000003.234192648.000001CC75B02000.00000004.00000001.sdmp, pywintypes27.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\unicodedata.pdb source: lazagne.exe, 00000000.00000003.234575362.000001CC75AF7000.00000004.00000001.sdmp, unicodedata.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\python27.pdb source: lazagne.exe, 00000002.00000002.244739400.0000000050209000.00000002.00020000.sdmp, python27.dll.0.dr
      Source: Binary string: msvcr90.amd64.pdb source: lazagne.exe, 00000000.00000003.232719541.000001CC75B3D000.00000004.00000001.sdmp, MSVCR90.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ctypes.pdb source: lazagne.exe, 00000000.00000003.232807988.000001CC75AF7000.00000004.00000001.sdmp, _ctypes.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_sqlite3.pdb source: lazagne.exe, 00000000.00000003.233236566.000001CC75AF7000.00000004.00000001.sdmp, _sqlite3.pyd.0.dr
      Source: Binary string: O:\src\pywin32\build\temp.win-amd64-2.7\Release\win32pipe.pdb source: lazagne.exe, 00000000.00000003.237774805.000001CC75BE2000.00000004.00000001.sdmp, win32pipe.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\pyexpat.pdb source: lazagne.exe, 00000000.00000003.233723872.000001CC75AF7000.00000004.00000001.sdmp, pyexpat.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ssl.pdbp source: _ssl.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_elementtree.pdb source: lazagne.exe, 00000000.00000003.232871891.000001CC75AF7000.00000004.00000001.sdmp, _elementtree.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\bz2.pdb source: lazagne.exe, 00000000.00000003.233630368.000001CC75B00000.00000004.00000001.sdmp, bz2.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_hashlib.pdb@ source: _hashlib.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_hashlib.pdb source: _hashlib.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_multiprocessing.pdb source: lazagne.exe, 00000000.00000003.233163580.000001CC75AF7000.00000004.00000001.sdmp, _multiprocessing.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\sqlite3.pdb source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ssl.pdb source: _ssl.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\select.pdb source: lazagne.exe, 00000000.00000003.234224222.000001CC75AF7000.00000004.00000001.sdmp, select.pyd.0.dr
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE0580 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEA34C FindFirstFileExW,0_2_00007FF7F6BEA34C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE0580 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500CAC70 malloc,FindFirstFileW,GetLastError,SetEvent,FindNextFileW,GetLastError,FindClose,free,free,FindClose,free,free,FindFirstFileA,GetLastError,_errno,GetLastError,_errno,SetEvent,FindNextFileA,GetLastError,FindClose,_errno,GetLastError,_errno,FindClose,2_2_500CAC70
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501DDDE0 getenv,FindFirstFileA,FindClose,strncmp,2_2_501DDDE0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500C9E20 GetFileAttributesExA,GetLastError,_errno,FindFirstFileA,FindClose,strrchr,_stricmp,_stricmp,_stricmp,_stricmp,2_2_500C9E20
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500C9F70 GetFileAttributesExW,GetLastError,_errno,FindFirstFileW,FindClose,wcsrchr,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,2_2_500C9F70
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/e equals www.facebook.com (Facebook)
      Source: lazagne.exe, 00000002.00000003.240996469.00000213FE3C1000.00000004.00000001.sdmpString found in binary or memory: http://blog.digital-forensics.it/2016/01/windows-revaulting.html
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://cr.yp.to/djb.html
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://cr.yp.to/snuffle.html
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://cr.yp.to/snuffle/salsafamily-20071225.pdf
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmp, lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
      Source: lazagne.exe, 00000002.00000002.247191175.00000213FD9FB000.00000004.00000001.sdmp, lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: http://json.org
      Source: lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpString found in binary or memory: http://lab.mediaservice.net/code/cachedump.rb
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://maven.apache.org/SETTINGS/1.0.0
      Source: lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmp, lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: http://psi-im.org/options
      Source: python27.dll.0.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
      Source: lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: http://www.di-mgt.com.au/rsa_alg.html#pkcs1schemes
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://www.ecrypt.eu.org/stream/p3ciphers/salsa20/salsa20_p3source.zip
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://www.ecrypt.eu.org/stream/salsa20p3.html
      Source: lazagne.exe, 00000002.00000003.241395233.00000213FDFC3000.00000004.00000001.sdmpString found in binary or memory: http://www.eyevis.de/en/products/wall-management-software.html
      Source: _ssl.pyd.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
      Source: _ssl.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://www.openssl.org/support/faq.htmlC:
      Source: lazagne.exe, 00000002.00000002.246345970.00000213FD241000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
      Source: lazagne.exe, 00000002.00000003.240315783.00000213FDA24000.00000004.00000001.sdmpString found in binary or memory: http://www.rgaros.nl/gestalt/
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://www.seanet.com/~bugbee/crypto/salsa20/
      Source: lazagne.exe, 00000002.00000003.242339124.00000213FDF5A000.00000004.00000001.sdmpString found in binary or memory: http://www.tiac.net/~sw/2010/02/PureSalsa20
      Source: lazagne.exe, 00000000.00000003.234648078.000001CC75B64000.00000004.00000001.sdmp, unicodedata.pyd.0.drString found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
      Source: lazagne.exe, 00000000.00000003.234648078.000001CC75B64000.00000004.00000001.sdmp, unicodedata.pyd.0.drString found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).u
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/servicelogin
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/serviceloginad
      Source: lazagne.exe, 00000002.00000002.250786407.00000213FE381000.00000004.00000001.sdmp, lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/jmichel/dpapick
      Source: lazagne.exe, 00000002.00000002.250605467.00000213FE257000.00000004.00000001.sdmpString found in binary or memory: https://code.google.com/p/creddump/
      Source: lazagne.exe, 00000002.00000002.248267012.00000213FDE60000.00000004.00000001.sdmpString found in binary or memory: https://getcomposer.org/doc/articles/http-basic-authentication.md
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://git-scm.com/docs/git-credential-store
      Source: lazagne.exe, 00000002.00000002.250786407.00000213FE381000.00000004.00000001.sdmp, lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/dfirfpi/dpapilab
      Source: lazagne.exe, 00000000.00000003.237774805.000001CC75BE2000.00000004.00000001.sdmp, win32pipe.pyd.0.drString found in binary or memory: https://github.com/mhammond/pywin320
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://github.com/putterpanda/mimikittenz
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpString found in binary or memory: https://maven.apache.org/guides/mini/guide-encryption.html#How_to_create_a_master_password
      Source: lazagne.exe, 00000002.00000003.241993137.00000213FDC63000.00000004.00000001.sdmpString found in binary or memory: https://maven.apache.org/settings.html#Servers
      Source: lazagne.exe, 00000002.00000003.241993137.00000213FDC63000.00000004.00000001.sdmpString found in binary or memory: https://www.gmail.com/

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected LaZagne password dumperShow sources
      Source: Yara matchFile source: 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.241551429.00000213FDA6E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.242417787.00000213FDB31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.240357039.00000213FDA6E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: lazagne.exe PID: 5068, type: MEMORY
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE83940_2_00007FF7F6BE8394
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE05800_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD42700_2_00007FF7F6BD4270
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEE6280_2_00007FF7F6BEE628
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE13F00_2_00007FF7F6BE13F0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEEFC80_2_00007FF7F6BEEFC8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BDD3840_2_00007FF7F6BDD384
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BECB800_2_00007FF7F6BECB80
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE91F80_2_00007FF7F6BE91F8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BDD1080_2_00007FF7F6BDD108
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BF18B80_2_00007FF7F6BF18B8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE91F80_2_00007FF7F6BE91F8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BDF5600_2_00007FF7F6BDF560
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD79200_2_00007FF7F6BD7920
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEA11C0_2_00007FF7F6BEA11C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD81500_2_00007FF7F6BD8150
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEC6B00_2_00007FF7F6BEC6B0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE05800_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE2A700_2_00007FF7F6BE2A70
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BDCE8C0_2_00007FF7F6BDCE8C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500762802_2_50076280
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501BC4002_2_501BC400
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501C0AA02_2_501C0AA0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501AACA02_2_501AACA0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500761202_2_50076120
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_5018D1302_2_5018D130
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500AB1602_2_500AB160
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500D34302_2_500D3430
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501474B02_2_501474B0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500965002_2_50096500
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500BB5F02_2_500BB5F0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501566002_2_50156600
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501CE6D02_2_501CE6D0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_5018E8402_2_5018E840
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500B08A02_2_500B08A0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501889202_2_50188920
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_5018C9402_2_5018C940
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500CDA702_2_500CDA70
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_50172B802_2_50172B80
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500BABC02_2_500BABC0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500B6CB02_2_500B6CB0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500D6D002_2_500D6D00
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_50090D302_2_50090D30
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_50075F012_2_50075F01
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_50075F002_2_50075F00
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500CDF002_2_500CDF00
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501ACFB02_2_501ACFB0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500AFFE02_2_500AFFE0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 50136E60 appears 71 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 5015EF30 appears 34 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 50167160 appears 629 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501E5630 appears 97 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501D7310 appears 96 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 00007FF7F6BD1A80 appears 64 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501FE6F0 appears 239 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501D3650 appears 183 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501D72E0 appears 74 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 5017F290 appears 57 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 501D4300 appears 569 times
      Source: C:\Users\user\Desktop\lazagne.exeCode function: String function: 00007FF7F6BD1A20 appears 37 times
      Source: lazagne.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: lazagne.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: lazagne.exe, 00000000.00000003.232719541.000001CC75B3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMSVCR90.DLL^ vs lazagne.exe
      Source: lazagne.exe, 00000000.00000003.237774805.000001CC75BE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewin32pipe.pyd8 vs lazagne.exe
      Source: lazagne.exe, 00000000.00000003.233689428.000001CC75AF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcr100.dll* vs lazagne.exe
      Source: lazagne.exe, 00000000.00000003.234192648.000001CC75B02000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepywintypes27.dll8 vs lazagne.exe
      Source: lazagne.exeBinary or memory string: OriginalFilename vs lazagne.exe
      Source: lazagne.exe, 00000002.00000002.246031584.00000000503A4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepython27.dll. vs lazagne.exe
      Source: lazagne.exe, 00000002.00000002.247521184.00000213FDD20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs lazagne.exe
      Source: lazagne.exe, type: SAMPLEMatched rule: HKTL_Lazagne_PasswordDumper_Dec18_1 date = 2018-12-11, hash3 = bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50, hash2 = 884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63, author = Florian Roth, description = Detects password dumper Lazagne often used by middle eastern threat groups, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c
      Source: lazagne.exe, type: SAMPLEMatched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
      Source: 00000002.00000003.240709297.00000213FE219000.00000004.00000001.sdmp, type: MEMORYMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
      Source: 00000002.00000003.241129849.00000213FE24F000.00000004.00000001.sdmp, type: MEMORYMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
      Source: 00000002.00000002.250605467.00000213FE257000.00000004.00000001.sdmp, type: MEMORYMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
      Source: 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
      Source: Process Memory Space: lazagne.exe PID: 5068, type: MEMORYMatched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
      Source: classification engineClassification label: mal64.troj.winEXE@4/21@0/0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD5070 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF7F6BD5070
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user~1\AppData\Local\Temp\_MEI29602Jump to behavior
      Source: lazagne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\lazagne.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: lazagne.exe, 00000002.00000003.241993137.00000213FDC63000.00000004.00000001.sdmpBinary or memory string: SELECT a11,a102 FROM nssPrivate;
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpBinary or memory string: SELECT item1,item2 FROM metadata WHERE id = 'password';
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: lazagne.exe, 00000002.00000003.241993137.00000213FDC63000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM moz_logins;
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: lazagne.exe, 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmpBinary or memory string: SELECT item1,item2 FROM metadata WHERE id = 'password';H
      Source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: lazagne.exeVirustotal: Detection: 61%
      Source: lazagne.exeMetadefender: Detection: 27%
      Source: lazagne.exeReversingLabs: Detection: 71%
      Source: lazagne.exeString found in binary or memory: --help
      Source: lazagne.exeString found in binary or memory: --help
      Source: C:\Users\user\Desktop\lazagne.exeFile read: C:\Users\user\Desktop\lazagne.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\lazagne.exe 'C:\Users\user\Desktop\lazagne.exe'
      Source: C:\Users\user\Desktop\lazagne.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\lazagne.exeProcess created: C:\Users\user\Desktop\lazagne.exe 'C:\Users\user\Desktop\lazagne.exe'
      Source: C:\Users\user\Desktop\lazagne.exeProcess created: C:\Users\user\Desktop\lazagne.exe 'C:\Users\user\Desktop\lazagne.exe' Jump to behavior
      Source: lazagne.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: lazagne.exeStatic file information: File size 6635326 > 1048576
      Source: C:\Users\user\Desktop\lazagne.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_MEI29602\msvcr100.dllJump to behavior
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: lazagne.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: lazagne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_socket.pdb source: lazagne.exe, 00000000.00000003.233199869.000001CC75AF7000.00000004.00000001.sdmp, _socket.pyd.0.dr
      Source: Binary string: O:\src\pywin32\build\temp.win-amd64-2.7\Release\pywintypes.pdb source: lazagne.exe, 00000000.00000003.234192648.000001CC75B02000.00000004.00000001.sdmp, pywintypes27.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\unicodedata.pdb source: lazagne.exe, 00000000.00000003.234575362.000001CC75AF7000.00000004.00000001.sdmp, unicodedata.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\python27.pdb source: lazagne.exe, 00000002.00000002.244739400.0000000050209000.00000002.00020000.sdmp, python27.dll.0.dr
      Source: Binary string: msvcr90.amd64.pdb source: lazagne.exe, 00000000.00000003.232719541.000001CC75B3D000.00000004.00000001.sdmp, MSVCR90.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ctypes.pdb source: lazagne.exe, 00000000.00000003.232807988.000001CC75AF7000.00000004.00000001.sdmp, _ctypes.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_sqlite3.pdb source: lazagne.exe, 00000000.00000003.233236566.000001CC75AF7000.00000004.00000001.sdmp, _sqlite3.pyd.0.dr
      Source: Binary string: O:\src\pywin32\build\temp.win-amd64-2.7\Release\win32pipe.pdb source: lazagne.exe, 00000000.00000003.237774805.000001CC75BE2000.00000004.00000001.sdmp, win32pipe.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\pyexpat.pdb source: lazagne.exe, 00000000.00000003.233723872.000001CC75AF7000.00000004.00000001.sdmp, pyexpat.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ssl.pdbp source: _ssl.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_elementtree.pdb source: lazagne.exe, 00000000.00000003.232871891.000001CC75AF7000.00000004.00000001.sdmp, _elementtree.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\bz2.pdb source: lazagne.exe, 00000000.00000003.233630368.000001CC75B00000.00000004.00000001.sdmp, bz2.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_hashlib.pdb@ source: _hashlib.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_hashlib.pdb source: _hashlib.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_multiprocessing.pdb source: lazagne.exe, 00000000.00000003.233163580.000001CC75AF7000.00000004.00000001.sdmp, _multiprocessing.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\sqlite3.pdb source: lazagne.exe, 00000000.00000003.234406591.000001CC75BE1000.00000004.00000001.sdmp, sqlite3.dll.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\_ssl.pdb source: _ssl.pyd.0.dr
      Source: Binary string: C:\build27\cpython\PCBuild\amd64\select.pdb source: lazagne.exe, 00000000.00000003.234224222.000001CC75AF7000.00000004.00000001.sdmp, select.pyd.0.dr
      Source: lazagne.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: lazagne.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: lazagne.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: lazagne.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: lazagne.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD4EF0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,0_2_00007FF7F6BD4EF0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_50098A11 push 27158B48h; iretd 2_2_50098A16
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\msvcr100.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_multiprocessing.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_hashlib.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\pyexpat.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\sqlite3.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\MSVCR90.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_sqlite3.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\msvcp100.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_socket.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_ssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\unicodedata.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_elementtree.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\pywintypes27.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\win32pipe.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\python27.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\bz2.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI29602\_ctypes.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD2B40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7F6BD2B40
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\msvcr100.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\msvcp100.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\unicodedata.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\pywintypes27.dllJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29602\win32pipe.pydJump to dropped file
      Source: C:\Users\user\Desktop\lazagne.exeAPI coverage: 3.8 %
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE0580 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEA34C FindFirstFileExW,0_2_00007FF7F6BEA34C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE0580 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7F6BE0580
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500CAC70 malloc,FindFirstFileW,GetLastError,SetEvent,FindNextFileW,GetLastError,FindClose,free,free,FindClose,free,free,FindFirstFileA,GetLastError,_errno,GetLastError,_errno,SetEvent,FindNextFileA,GetLastError,FindClose,_errno,GetLastError,_errno,FindClose,2_2_500CAC70
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_501DDDE0 getenv,FindFirstFileA,FindClose,strncmp,2_2_501DDDE0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500C9E20 GetFileAttributesExA,GetLastError,_errno,FindFirstFileA,FindClose,strrchr,_stricmp,_stricmp,_stricmp,_stricmp,2_2_500C9E20
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500C9F70 GetFileAttributesExW,GetLastError,_errno,FindFirstFileW,FindClose,wcsrchr,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,2_2_500C9F70
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500BE0E0 GetSystemInfo,GetSystemInfo,2_2_500BE0E0
      Source: lazagne.exe, 00000002.00000002.247521184.00000213FDD20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: lazagne.exe, 00000002.00000003.240143219.00000213FE019000.00000004.00000001.sdmpBinary or memory string: lbFV/YYnN0sDkCl6Bh7AHiWLWolKxA7KjD8sA6j0XbimOLevEIoRhVMmmUORbwZm5MubfiNM03ONpl0hQEmuTKC+wo8bit6NGGaZ
      Source: lazagne.exe, 00000002.00000002.247521184.00000213FDD20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: lazagne.exe, 00000002.00000002.247521184.00000213FDD20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: lazagne.exe, 00000002.00000002.246203546.00000213FB8A0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE
      Source: lazagne.exe, 00000002.00000002.247521184.00000213FDD20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD903C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F6BD903C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD4EF0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,0_2_00007FF7F6BD4EF0
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEBCCC GetProcessHeap,0_2_00007FF7F6BEBCCC
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD8820 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF7F6BD8820
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD903C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F6BD903C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD91D8 SetUnhandledExceptionFilter,0_2_00007FF7F6BD91D8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD89C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7F6BD89C8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BE3AB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F6BE3AB8
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_502072B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_502072B0
      Source: C:\Users\user\Desktop\lazagne.exeProcess created: C:\Users\user\Desktop\lazagne.exe 'C:\Users\user\Desktop\lazagne.exe' Jump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BF1700 cpuid 0_2_00007FF7F6BF1700
      Source: C:\Users\user\Desktop\lazagne.exeCode function: GetACP,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_50074070
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_ctypes.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_multiprocessing.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_socket.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_ssl.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_hashlib.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6bfbvf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6bfbvf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\bz2.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_sqlite3.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\_elementtree.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI29602\pyexpat.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeQueries volume information: C:\Users\user\Desktop\lazagne.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BD8F0C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7F6BD8F0C
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 0_2_00007FF7F6BEE878 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF7F6BEE878
      Source: C:\Users\user\Desktop\lazagne.exeCode function: 2_2_500CDA70 GetEnvironmentVariableA,GetEnvironmentVariableA,GetVersion,_stricmp,memset,GetModuleFileNameA,strncat,_stat64i32,strncpy,strncat,_stat64i32,memset,memset,CreateProcessA,CloseHandle,2_2_500CDA70
      Source: C:\Users\user\Desktop\lazagne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected LaZagne password dumperShow sources
      Source: Yara matchFile source: 00000002.00000002.247312911.00000213FDB32000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.241551429.00000213FDA6E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.242417787.00000213FDB31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.240357039.00000213FDA6E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: lazagne.exe PID: 5068, type: MEMORY
      Source: lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpBinary or memory string: WIN_XP
      Source: lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpBinary or memory string: WIN_VISTA
      Source: lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpBinary or memory string: WIN_7
      Source: lazagne.exe, 00000002.00000002.250398112.00000213FE11E000.00000004.00000001.sdmpBinary or memory string: WIN_8

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2Application Shimming1Process Injection11Process Injection11OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsApplication Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery35Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi