Windows Analysis Report
Urunla 0010_Fiyat Talap Teklif ID56313.exe

Overview

General Information

Sample name: Urunla 0010_Fiyat Talap Teklif ID56313.exe
Analysis ID: 1520414
MD5: 6d0b36d8196d5204908ac46df6b26dd6
SHA1: a8e77c1ffb0dcd5df4be1c4f5c712d601b68b92e
SHA256: c05124a691aadde7935955fc41a1539398fe2007927ef19e27d8764cbafe266d
Tags: exegeoTURuser-abuse_ch
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Avira: detection malicious, Label: HEUR/AGEN.1323682
Found malware configuration
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}
Source: kmk.exe.5296.7.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000008.00000002.4515896776.0000000002D55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kmk.exe, 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: kmk.exe, 00000008.00000002.4515896776.0000000002D51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://UZQtUP.com
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.4507138175.0000000000434000.00000040.00000400.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentdocument-----
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4507133105.0000000000436000.00000040.00000400.00020000.00000000.sdmp, kmk.exe, 00000005.00000002.2343737352.0000000004385000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: kmk.exe, 00000008.00000002.4515896776.0000000002D55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01506890 SetWindowsHookExW 0000000D,00000000,?,? 3_2_01506890
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\kmk\kmk.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\kmk\kmk.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.kmk.exe.3136af4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000008.00000002.4507142891.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.4507138175.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: kmk.exe PID: 5252, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_00CFD3B4 0_2_00CFD3B4
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F8C32 0_2_0C7F8C32
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F2948 0_2_0C7F2948
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F3750 0_2_0C7F3750
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F7D71 0_2_0C7F7D71
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F8D71 0_2_0C7F8D71
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F7D80 0_2_0C7F7D80
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F2E50 0_2_0C7F2E50
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F2E34 0_2_0C7F2E34
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F5FD0 0_2_0C7F5FD0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F5FC1 0_2_0C7F5FC1
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F2938 0_2_0C7F2938
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F3458 0_2_0C7F3458
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F65FB 0_2_0C7F65FB
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F65F9 0_2_0C7F65F9
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F6608 0_2_0C7F6608
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F3740 0_2_0C7F3740
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F0040 0_2_0C7F0040
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F0007 0_2_0C7F0007
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F81A6 0_2_0C7F81A6
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014A70C8 3_2_014A70C8
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014AE720 3_2_014AE720
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014AB698 3_2_014AB698
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014A5148 3_2_014A5148
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014A9580 3_2_014A9580
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014AA4A8 3_2_014AA4A8
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014A1BB8 3_2_014A1BB8
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01509578 3_2_01509578
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_015019B0 3_2_015019B0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01504E98 3_2_01504E98
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01500040 3_2_01500040
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_015070C0 3_2_015070C0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01502DA0 3_2_01502DA0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01626A7F 3_2_01626A7F
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01625D48 3_2_01625D48
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162BA37 3_2_0162BA37
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_01625D39 3_2_01625D39
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_06483E90 3_2_06483E90
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648BC60 3_2_0648BC60
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_064814B0 3_2_064814B0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648E538 3_2_0648E538
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648F298 3_2_0648F298
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_06484AA8 3_2_06484AA8
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_06485200 3_2_06485200
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_064841D8 3_2_064841D8
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014AB697 3_2_014AB697
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_02F3D3B4 5_2_02F3D3B4
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE48C32 5_2_0CE48C32
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE42948 5_2_0CE42948
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE43750 5_2_0CE43750
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE46308 5_2_0CE46308
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE47D80 5_2_0CE47D80
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE48D71 5_2_0CE48D71
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE47D7F 5_2_0CE47D7F
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE42E4F 5_2_0CE42E4F
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE42E50 5_2_0CE42E50
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE45FCF 5_2_0CE45FCF
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE45FD0 5_2_0CE45FD0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE42947 5_2_0CE42947
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE46602 5_2_0CE46602
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE46608 5_2_0CE46608
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE4374F 5_2_0CE4374F
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE40040 5_2_0CE40040
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE4003F 5_2_0CE4003F
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE481A6 5_2_0CE481A6
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE46307 5_2_0CE46307
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_017747D4 6_2_017747D4
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01775D48 6_2_01775D48
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01776A30 6_2_01776A30
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01775C60 6_2_01775C60
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018874C8 6_2_018874C8
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0188B764 6_2_0188B764
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01885188 6_2_01885188
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01883585 6_2_01883585
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018837ED 6_2_018837ED
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01883755 6_2_01883755
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01889648 6_2_01889648
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0188365D 6_2_0188365D
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018839ED 6_2_018839ED
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01883971 6_2_01883971
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01883885 6_2_01883885
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01881878 6_2_01881878
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01884D83 6_2_01884D83
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018B19B0 6_2_018B19B0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018B4E98 6_2_018B4E98
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018B1157 6_2_018B1157
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018B2E44 6_2_018B2E44
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0256D3B4 7_2_0256D3B4
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D16D98 7_2_04D16D98
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D11C00 7_2_04D11C00
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D10040 7_2_04D10040
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D10007 7_2_04D10007
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D16D88 7_2_04D16D88
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D11BF2 7_2_04D11BF2
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B386B8 7_2_06B386B8
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B376C0 7_2_06B376C0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B38E40 7_2_06B38E40
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B33748 7_2_06B33748
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B39C40 7_2_06B39C40
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3AB38 7_2_06B3AB38
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3CE80 7_2_06B3CE80
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B38E32 7_2_06B38E32
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3863E 7_2_06B3863E
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B38672 7_2_06B38672
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B39C30 7_2_06B39C30
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3CC48 7_2_06B3CC48
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3C5A0 7_2_06B3C5A0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B392A0 7_2_06B392A0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B39292 7_2_06B39292
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3D2D8 7_2_06B3D2D8
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B39B90 7_2_06B39B90
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B37B10 7_2_06B37B10
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B37B00 7_2_06B37B00
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B3D0F8 7_2_06B3D0F8
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B30006 7_2_06B30006
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_06B30040 7_2_06B30040
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C398C32 7_2_0C398C32
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C393750 7_2_0C393750
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C392948 7_2_0C392948
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C393C00 7_2_0C393C00
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C397D71 7_2_0C397D71
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C398D71 7_2_0C398D71
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C397D80 7_2_0C397D80
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C392E34 7_2_0C392E34
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C396608 7_2_0C396608
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C396602 7_2_0C396602
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C392E50 7_2_0C392E50
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C393740 7_2_0C393740
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C395FD0 7_2_0C395FD0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C395FC1 7_2_0C395FC1
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C390007 7_2_0C390007
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C390040 7_2_0C390040
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C392938 7_2_0C392938
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C3981A6 7_2_0C3981A6
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E547D4 8_2_00E547D4
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E55D48 8_2_00E55D48
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E56A30 8_2_00E56A30
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E55C60 8_2_00E55C60
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EF74C8 8_2_00EF74C8
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EFB764 8_2_00EFB764
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EFE738 8_2_00EFE738
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EF9648 8_2_00EF9648
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EF2C68 8_2_00EF2C68
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F29578 8_2_00F29578
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F219B0 8_2_00F219B0
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F24E98 8_2_00F24E98
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F22DA0 8_2_00F22DA0
Sample file is different than original file name gathered from version info
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2059875133.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000000.2025602650.0000000000292000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEuuAGSl.exe. vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2056464575.0000000002938000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2055440511.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2056464575.00000000026E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4507935855.0000000001137000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Binary or memory string: OriginalFilenameEuuAGSl.exe. vs Urunla 0010_Fiyat Talap Teklif ID56313.exe
Uses 32bit PE files
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.kmk.exe.3136af4.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000008.00000002.4507142891.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.4507138175.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: kmk.exe PID: 5252, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: kmk.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/4@0/0
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Urunla 0010_Fiyat Talap Teklif ID56313.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Mutant created: \Sessions\1\BaseNamedObjects\PLxhQIxwnCWZmNEmCJHdtxwX
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4514332957.0000000003092000.00000004.00000800.00020000.00000000.sdmp, Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000003.00000002.4514332957.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.4515867343.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.4515867343.00000000033E2000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000008.00000002.4515896776.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000008.00000002.4515896776.0000000002E82000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File read: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe "C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe"
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process created: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe "{path}"
Source: unknown Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}"
Source: unknown Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "C:\Users\user\AppData\Roaming\kmk\kmk.exe"
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}"
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process created: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe "{path}" Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}" Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}" Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, --.cs .Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.2706bd4.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, B.cs .Net Code: A System.Reflection.Assembly.Load(byte[])
Source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.4d50000.3.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: kmk.exe.3.dr, --.cs .Net Code: _0003 System.AppDomain.Load(byte[])
Source: 5.2.kmk.exe.3136af4.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 7.2.kmk.exe.39ddf00.2.raw.unpack, B.cs .Net Code: A System.Reflection.Assembly.Load(byte[])
Source: 7.2.kmk.exe.2716714.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 0_2_0C7F5A4D push eax; ret 0_2_0C7F5A52
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_014A3F8F push edi; retn 0000h 3_2_014A3F91
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0150E808 pushfd ; ret 3_2_0150E809
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C762 push eax; ret 3_2_0162C7CA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C7E0 push eax; ret 3_2_0162C7EA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C7C0 push eax; ret 3_2_0162C7CA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C7D0 push eax; ret 3_2_0162C7DA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C780 push eax; ret 3_2_0162C7BA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0162C780 push eax; ret 3_2_0162C7EA
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_06486638 pushfd ; ret 3_2_06486641
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648D55A push ss; iretd 3_2_0648D55D
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648D006 push es; ret 3_2_0648D010
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_0648D012 push ebx; ret 3_2_0648D015
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 5_2_0CE45A4D push eax; ret 5_2_0CE45A52
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0177C7E0 push eax; ret 6_2_0177C7EA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0177C7D0 push eax; ret 6_2_0177C7DA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0177C7C0 push eax; ret 6_2_0177C7CA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_0177C780 push eax; ret 6_2_0177C7BA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_01884057 push edi; retn 0000h 6_2_01884059
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018B0312 push 8BFFFFFFh; retf 6_2_018B0318
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 6_2_018BE808 pushfd ; ret 6_2_018BE809
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_04D1F66D push esp; ret 7_2_04D1F679
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 7_2_0C395A4D push eax; ret 7_2_0C395A52
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E5C7E0 push eax; ret 8_2_00E5C7EA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E5C7C0 push eax; ret 8_2_00E5C7CA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00E5C7D0 push eax; ret 8_2_00E5C7DA
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00EF4057 push edi; retn 0000h 8_2_00EF4059
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F2030C push 8BFFFFFFh; retf 8_2_00F20318
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Code function: 8_2_00F2E808 pushfd ; ret 8_2_00F2E809
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe Static PE information: section name: .text entropy: 7.818567192417198
Source: kmk.exe.3.dr Static PE information: section name: .text entropy: 7.818567192417198
Drops PE files
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File created: C:\Users\user\AppData\Roaming\kmk\kmk.exe Jump to dropped file
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kmk Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kmk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File opened: C:\Users\user\AppData\Roaming\kmk\kmk.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2056464575.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000005.00000002.2340294761.0000000003111000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Urunla 0010_Fiyat Talap Teklif ID56313.exe, 00000000.00000002.2056464575.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000005.00000002.2340294761.0000000003111000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 25E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 7410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 6C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 8410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 9410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 97A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: A7A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: B7A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 15E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: 4F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 3110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 5110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 78E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 88E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 9DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: ADD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: BDD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 1750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 32B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 52B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 2510000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 26F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 46F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 6FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 6D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 7FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 8FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 9320000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: A320000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: B320000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 2D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory allocated: 1160000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Window / User API: threadDelayed 7296 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Window / User API: threadDelayed 2544 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window / User API: threadDelayed 6178 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window / User API: threadDelayed 3629 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window / User API: threadDelayed 6686 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Window / User API: threadDelayed 3148 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe TID: 4436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe TID: 5540 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe TID: 5540 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe TID: 5960 Thread sleep count: 7296 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe TID: 5960 Thread sleep count: 2544 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 6496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4676 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4676 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 6128 Thread sleep count: 6178 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 6128 Thread sleep count: 3629 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 3128 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4352 Thread sleep count: 6686 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe TID: 4352 Thread sleep count: 3148 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: kmk.exe, 00000007.00000002.2425098716.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Code function: 3_2_015092E8 LdrInitializeThunk, 3_2_015092E8
Enables debug privileges
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Memory written: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory written: C:\Users\user\AppData\Roaming\kmk\kmk.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Memory written: C:\Users\user\AppData\Roaming\kmk\kmk.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Process created: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe "{path}" Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}" Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Process created: C:\Users\user\AppData\Roaming\kmk\kmk.exe "{path}" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Users\user\AppData\Roaming\kmk\kmk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Urunla 0010_Fiyat Talap Teklif ID56313.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.39ddf00.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.38eb3b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.39ddf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.393ba80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Urunla 0010_Fiyat Talap Teklif ID56313.exe.37cdf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.kmk.exe.3873c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2057456613.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2429634702.0000000003793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.4514332957.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4515867343.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 4424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Urunla 0010_Fiyat Talap Teklif ID56313.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kmk.exe PID: 5296, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520414 Sample: Urunla 0010_Fiyat Talap Tek... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 10 other signatures 2->34 6 Urunla 0010_Fiyat Talap Teklif ID56313.exe 3 2->6         started        10 kmk.exe 3 2->10         started        12 kmk.exe 2 2->12         started        process3 file4 22 Urunla 0010_Fiyat ...lif ID56313.exe.log, ASCII 6->22 dropped 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->36 38 Injects a PE file into a foreign processes 6->38 14 Urunla 0010_Fiyat Talap Teklif ID56313.exe 1 5 6->14         started        40 Antivirus detection for dropped file 10->40 42 Multi AV Scanner detection for dropped file 10->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->44 46 Machine Learning detection for dropped file 10->46 18 kmk.exe 2 10->18         started        20 kmk.exe 2 12->20         started        signatures5 process6 file7 24 C:\Users\user\AppData\Roaming\kmk\kmk.exe, PE32 14->24 dropped 26 C:\Users\user\...\kmk.exe:Zone.Identifier, ASCII 14->26 dropped 48 Tries to steal Mail credentials (via file / registry access) 14->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->50 52 Installs a global keyboard hook 14->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 signatures8
No contacted IP infos