Analysis Report KOPEKER.exe

Overview

General Information

Sample Name: KOPEKER.exe
Analysis ID: 392084
MD5: cd885321b35b73421cd63e3150d677f7
SHA1: 2f09e0eb93927d82076f34549b0d4d3b7b393aab
SHA256: 495edfb60c0a9af0c57251ce28ca0bcf4c911324f59074f99c2797e36c3f3ef4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Multi AV Scanner detection for submitted file
Source: KOPEKER.exe Virustotal: Detection: 62% Perma Link
Source: KOPEKER.exe Metadefender: Detection: 32% Perma Link
Source: KOPEKER.exe ReversingLabs: Detection: 82%
Machine Learning detection for sample
Source: KOPEKER.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: KOPEKER.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\KOPEKER.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004096F2 0_2_004096F2
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409839 0_2_00409839
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004098C2 0_2_004098C2
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A0E6 0_2_0040A0E6
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A09B 0_2_0040A09B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040994E 0_2_0040994E
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A17E 0_2_0040A17E
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004099E3 0_2_004099E3
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409A78 0_2_00409A78
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A29C 0_2_0040A29C
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409B1B 0_2_00409B1B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A335 0_2_0040A335
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040E33C 0_2_0040E33C
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A3C6 0_2_0040A3C6
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409BAA 0_2_00409BAA
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A45A 0_2_0040A45A
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409C39 0_2_00409C39
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A4E5 0_2_0040A4E5
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409D71 0_2_00409D71
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409E98 0_2_00409E98
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040A749 0_2_0040A749
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409F28 0_2_00409F28
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004097AA 0_2_004097AA
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00409FB6 0_2_00409FB6
PE file contains strange resources
Source: KOPEKER.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KOPEKER.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: KOPEKER.exe, 00000000.00000002.986561193.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs KOPEKER.exe
Source: KOPEKER.exe, 00000000.00000002.1003029734.00000000050D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs KOPEKER.exe
Uses 32bit PE files
Source: KOPEKER.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\KOPEKER.exe File created: C:\Users\user\AppData\Local\Temp\~DF0ADD49C825BCA8F7.TMP Jump to behavior
Source: KOPEKER.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KOPEKER.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: KOPEKER.exe Virustotal: Detection: 62%
Source: KOPEKER.exe Metadefender: Detection: 32%
Source: KOPEKER.exe ReversingLabs: Detection: 82%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
PE file contains an invalid checksum
Source: KOPEKER.exe Static PE information: real checksum: 0x27f9e should be: 0x1d52b
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00408053 push 8EA106DEh; ret 0_2_00408058
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00405019 push FFFFFFF4h; retf 0_2_0040504C
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040C903 pushad ; ret 0_2_0040C938
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040C24B push 7600FFCEh; iretd 0_2_0040C250
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0040445A push 0D010762h; retf 0_2_00404464
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00402F28 push 713A1CACh; retf 0_2_00402F98
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00403789 push BB150FDEh; retf 0_2_0040379C

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (71).png
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00621226 0_2_00621226
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00627309 0_2_00627309
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062266B 0_2_0062266B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006226AB 0_2_006226AB
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00622733 0_2_00622733
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006227EB 0_2_006227EB
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006227BE 0_2_006227BE
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00622787 0_2_00622787
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626843 0_2_00626843
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062282E 0_2_0062282E
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626806 0_2_00626806
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626804 0_2_00626804
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006248E3 0_2_006248E3
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006248C3 0_2_006248C3
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006268CF 0_2_006268CF
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006248A7 0_2_006248A7
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006228B7 0_2_006228B7
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062488B 0_2_0062488B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626892 0_2_00626892
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626966 0_2_00626966
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626907 0_2_00626907
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062290E 0_2_0062290E
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062690E 0_2_0062690E
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006249E7 0_2_006249E7
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006249C7 0_2_006249C7
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00624992 0_2_00624992
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_0062699F 0_2_0062699F
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00624A2B 0_2_00624A2B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00624A0B 0_2_00624A0B
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00621C82 0_2_00621C82
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00625D75 0_2_00625D75
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00625DAE 0_2_00625DAE
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00625D8B 0_2_00625D8B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: KOPEKER.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 000000000040991D second address: 000000000040991D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 00000085h 0x00000008 cmp ebx, 00000000h 0x0000000b cmp ebx, 0000009Ch 0x00000011 cmp eax, 10h 0x00000014 cmp ebx, 27h 0x00000017 cmp ebx, 24h 0x0000001a cmp ebx, 00000092h 0x00000020 fsubr st(5), st(0) 0x00000022 fldz 0x00000024 packuswb mm6, mm5 0x00000027 fldz 0x00000029 fxch st(0), st(1) 0x0000002b faddp st(1), st(0) 0x0000002d fpatan 0x0000002f jmp 00007F44BC95AAFEh 0x00000031 cmp ebx, 63h 0x00000034 cmp ebx, 000000C6h 0x0000003a cmp eax, 000000A7h 0x0000003f cmp edi, 02EAFF40h 0x00000045 movd mm1, ebx 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 fst st(4) 0x00000053 pslld mm5, 15h 0x00000057 fabs 0x00000059 psrlw mm4, A7h 0x0000005d fnclex 0x0000005f punpckhwd xmm4, xmm1 0x00000063 psubusb mm5, mm1 0x00000066 jmp 00007F44BC95AAF9h 0x00000068 jne 00007F44BC95A8F8h 0x0000006e inc edi 0x0000006f cmp ebx, 000000C2h 0x00000075 cmp eax, 00000099h 0x0000007a cmp ebx, 5Dh 0x0000007d cmp eax, 00000096h 0x00000082 cmp eax, 68h 0x00000085 cmp eax, 40h 0x00000088 psraw xmm7, xmm3 0x0000008c paddb xmm4, xmm5 0x00000090 ffree st(3) 0x00000092 psraw mm4, mm6 0x00000095 fninit 0x00000097 punpcklbw mm6, mm1 0x0000009a psubw xmm0, xmm1 0x0000009e jmp 00007F44BC95AAFDh 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 0000000000626071 second address: 000000000062607D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 00000000006258C4 second address: 00000000006259C6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+04h] 0x0000000e jmp 00007F44BC95CB9Ah 0x00000010 cmp cl, dl 0x00000012 add eax, ebx 0x00000014 mov ecx, dword ptr [eax+18h] 0x00000017 jmp 00007F44BC95CB9Ah 0x00000019 cmp eax, 92C74976h 0x0000001e mov dword ptr [ebp+08h], ecx 0x00000021 mov ecx, dword ptr [eax+1Ch] 0x00000024 jmp 00007F44BC95CB9Ah 0x00000026 pushad 0x00000027 mov di, 847Ch 0x0000002b cmp di, 847Ch 0x00000030 jne 00007F44BC95C80Ch 0x00000036 popad 0x00000037 mov dword ptr [ebp+14h], ecx 0x0000003a mov ecx, dword ptr [eax+24h] 0x0000003d mov dword ptr [ebp+10h], ecx 0x00000040 jmp 00007F44BC95CB9Ah 0x00000042 cmp ecx, ecx 0x00000044 mov esi, dword ptr [eax+20h] 0x00000047 jmp 00007F44BC95CB9Ah 0x00000049 cmp ah, ch 0x0000004b add esi, dword ptr [ebp+04h] 0x0000004e xor ecx, ecx 0x00000050 jmp 00007F44BC95CB9Ah 0x00000052 cmp eax, edx 0x00000054 jmp 00007F44BC95CB9Ah 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
Source: C:\Users\user\Desktop\KOPEKER.exe RDTSC instruction interceptor: First address: 00000000006257CD second address: 00000000006258C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F44BC95AB2Bh 0x00000010 jmp 00007F44BC95AABAh 0x00000012 cmp ah, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 jmp 00007F44BC95AABAh 0x00000019 cmp eax, edx 0x0000001b mov ebx, dword ptr [eax+3Ch] 0x0000001e add eax, ebx 0x00000020 mov ebx, dword ptr [eax+78h] 0x00000023 jmp 00007F44BC95AABAh 0x00000025 pushad 0x00000026 lfence 0x00000029 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004096F2 rdtsc 0_2_004096F2
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\KOPEKER.exe Window / User API: threadDelayed 1256 Jump to behavior
Source: C:\Users\user\Desktop\KOPEKER.exe Window / User API: threadDelayed 8744 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: KOPEKER.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\KOPEKER.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_004096F2 rdtsc 0_2_004096F2
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006231CC mov eax, dword ptr fs:[00000030h] 0_2_006231CC
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006222F6 mov eax, dword ptr fs:[00000030h] 0_2_006222F6
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_006222C7 mov eax, dword ptr fs:[00000030h] 0_2_006222C7
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00622286 mov eax, dword ptr fs:[00000030h] 0_2_00622286
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00622295 mov eax, dword ptr fs:[00000030h] 0_2_00622295
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00625480 mov eax, dword ptr fs:[00000030h] 0_2_00625480
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626843 mov eax, dword ptr fs:[00000030h] 0_2_00626843
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626806 mov eax, dword ptr fs:[00000030h] 0_2_00626806
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00626804 mov eax, dword ptr fs:[00000030h] 0_2_00626804
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00621C82 mov eax, dword ptr fs:[00000030h] 0_2_00621C82
Source: C:\Users\user\Desktop\KOPEKER.exe Code function: 0_2_00625F2A mov eax, dword ptr fs:[00000030h] 0_2_00625F2A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
No contacted IP infos