Windows Analysis Report
kbdgc.exe

ID:	1467148
Product:	CloudBasic
Start time:	18:54:05
Start date:	03.07.2024
Sample:	kbdgc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5025218d868f68c956a6bcb8f3c99007
SHA1:	84f0f59997a46562e837730335c304b719335ce9
SHA256:	ae8ada4be2d0844a57fcfcab82e65dd28613f4e9e802a14562c7f595115ee9bc
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\update\INSALEEXIST_TEMP.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 74, Total Editing Time: 1d+15:47:03, Last Saved Time/Date: Fri Jun 7 10:58:20 2024, Create Time/Date: Wed Jul 24 13:49:08 2013, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	EC4AC33729E7AE3E2DD811D9D2C7E12E	51DD666551138996F9883313E904AD103FC0DFD9	F587B7042132D3E94274422812DED7775B749A563E02EC91378BD494F149B08B
C:\Users\user\Desktop\update\INSALEEXIST_TMP.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 936, Revision Number: 87, Total Editing Time: 03:46:56, Last Saved Time/Date: Mon Jul 1 04:55:50 2024, Create Time/Date: Wed Apr 11 10:39:29 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	9A90B2AC6AB4D0C35D9A55B5BA699464	6C73AC92D1994AEAF0AFD3450C55DA204B53B2B7	29ECDE4F562E0176F0FF6C6C6E8F7DFC1222A35C3D3BC5290E987C67E130FB3C
C:\Users\user\Desktop\update\Monsec_Thwx.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 47, Total Editing Time: 1d+09:27:40, Last Saved Time/Date: Thu Jun 27 07:58:55 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	F5960AAF6CFCA05F6F529AE4ADD63719	C53FB97CFAAD02C5B0165F4594C778026FFAF66B	1CD65580C695A7B93E4F83AAF80A7EE5EF74CD11681874B5705DFF8DA493F839
C:\Users\user\Desktop\update\Monsec_sum.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 43, Total Editing Time: 1d+05:46:38, Last Saved Time/Date: Mon Jul 1 10:30:27 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	51EDC791CCAFE1141F2D36AE275064DB	446CAC76FED174C0B5D40BAB5208F786B40299FB	B5EA5ECBCF8A17D071FD6DF794FE796F271E3EBB079C6100A078D1B90E54B923
C:\Users\user\Desktop\update\Monsec_sumOne.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 31, Total Editing Time: 16:53:47, Last Saved Time/Date: Wed Apr 24 10:20:54 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	1B39F6E81667D02369AA7D7B0FC30852	F930B0FFA1DCB8A202B20A322EEC20D5F89D6882	C68FB9AFA03F43A0F95465B6378F3D75CED4804DB06E3C2F8F6202CEFC93F480
C:\Users\user\Desktop\update\SaleDtl1.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 136, Total Editing Time: 4d+06:57:45, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Wed Jul 3 06:46:47 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports	D5C8195621D6A6CE85D8E3DFE2FEB54E	28F73F26381512B14204952D606C85325A23C7E1	247640B4E27177B98176C482DEFB44AA1817704C681916B2F2C5723806E8E4FD
C:\Users\user\Desktop\update\SaleDtl2.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 136, Total Editing Time: 4d+03:46:27, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Wed Jul 3 04:57:48 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports	38797A5508B282594EF8AD42A444B199	C8B69B7CBA4BAB684F60F26D4249997E83B89B32	1CF1FF95752A37E7E8234D96D4BCB3B65E7CA9173BCF8B6958941E5FAB2F5745
C:\Users\user\Desktop\update\SaleDtl3.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 139, Total Editing Time: 4d+02:56:30, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Tue Jul 2 04:08:23 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports	0E7BD770F1186ADBAC0245DA8B7AA01B	37ADA604765EF7D58E02757E698D859EEEAF8A58	4472D2FABC61A9C12652D05E80143446247A891879A8C2CAE0B8C33CE29A74B4
C:\Users\user\Desktop\update\SaleDtl_sum.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 130, Total Editing Time: 4d+02:19:19, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Tue Jul 2 04:08:36 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports	9EFAB31B11B25334F1D4A5D914E736BA	28CAF6139123E86CFDF6AF1E29BFEEC41C83E546	F5103002B65A1712D877F8B9BF4C1CA9FA14ECAA9E5259EB1CCDB4DAE00EE1C5
C:\Users\user\Desktop\update\daybalprc_dtl.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 11, Total Editing Time: 05:01:39, Last Saved Time/Date: Fri Jun 7 06:56:27 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	BC3FD89CA077D5ED0D92A2EA95FA28F1	F9F5B1739CB4E9427AA11B33BFA47DC0615B566D	FB63CD260043C958980F2B4C5057D5EF726ABE259A8DCAA4C2D2D7E1D9C3C7A2
C:\Users\user\Desktop\update\daysale_dtl.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 29, Total Editing Time: 01:34:29, Last Saved Time/Date: Thu Jun 6 07:06:05 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	6DCCCBECA34C119EB39036AFF0928EC8	6FFC0B7A455CE38089B03E58216623CC3506E014	DDDA0A65A2DA99ABCB104BEE42F069D71D50F95776C4DCFF0B0506F40171E3E7
C:\Users\user\Desktop\update\daysale_dtl2.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 34, Total Editing Time: 01:42:48, Last Saved Time/Date: Thu Jun 6 07:44:12 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	61C996537672E56B3895D38793FEF51E	C48C8B05E18208C4E58CD997B26E9824D45D62BF	3EC08A5424B1C2CD958D2FCBC3CF37EBD43941540651D907F00C16306ABDFCC7
C:\Users\user\Desktop\update\metalin.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 82, Total Editing Time: 03:58:18, Last Saved Time/Date: Wed Jul 3 04:02:28 2024, Create Time/Date: Tue Dec 13 14:17:25 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	E8A04303C9F5D3FF634AAF3AF17C16A3	17C7A9D0698B022EE1CA93BD8BFDCF07EB49EFAA	9AA744B900703F545830104E1E5FF8FCC5FD2F45BE6F1AE37CC7D6EBDB67E34C
C:\Users\user\Desktop\update\metalout.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 65, Total Editing Time: 01:13:11, Last Saved Time/Date: Wed Jul 3 04:02:12 2024, Create Time/Date: Tue Dec 13 14:17:25 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	218DA672087A986EF7DAC94A4B5E665B	F83AF3EAB9303AFA49CC37FB1429183B419A3BE4	FA61C479C6B8BF91A47964C64F02AC7F49F51FD04BE8235DF8A81C3D9DB95950
C:\Users\user\Desktop\update\suppaymtl_total.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 11, Total Editing Time: 05:16:08, Last Saved Time/Date: Fri Jun 7 08:17:48 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	6C73C30AF9548F1AC5ADECEB15B279FA	655E0F25F5FD5E229C0C9B86AF186E14116EC681	DE547EB36BD293CAD5E227772CCE7E804184AB1F87235B3239C3638426B1A138
C:\Users\user\Desktop\update\zjz_dtl.rpt	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 39, Total Editing Time: 01:48:57, Last Saved Time/Date: Thu Jun 6 10:07:39 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal	9A6A2DF9EB24983122E0B06EFF4CFF57	E9459C7267C245EEB6AF2A866DEC8FB204E215F6	8D9E6F8242B9D93518DC7945B42950EC96595BBC0984324188566A7B5D4C82C9
C:\Users\user\Desktop\update\zwei.exe	PE32 executable (GUI) Intel 80386, for MS Windows	AA54788F8FF9F9D50FA3804069F148CB	85BF40F886EE19D1B7C18B320676C58E0FC4D623	B930CFA7A81E07DA6A98A126C6D45560DF027C86B8C6716B9672ABD421C70077

AV Detection

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.2% probability

Compliance

Source: kbdgc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kbdgc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kbdgc.exe

Spreading

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B79F76 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B79F76
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B89D3B SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B89D3B

Networking

Source: zwei.exe.0.dr	String found in binary or memory: http://192.168.30.6:8080/SSH/jsp/upload/upload.jsp
Source: zwei.exe.0.dr	String found in binary or memory: http://www.Jewsys.com
Source: zwei.exe.0.dr	String found in binary or memory: http://www.zwei.com__vbaFailedFriend

System Summary

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B76DD8: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B76DD8

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B780FA		0_2_00B780FA
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B854D8		0_2_00B854D8
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E08A		0_2_00B8E08A
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7E8DD		0_2_00B7E8DD
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7D828		0_2_00B7D828
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B73058		0_2_00B73058
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E99E		0_2_00B8E99E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8590D		0_2_00B8590D
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8295B		0_2_00B8295B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7D22A		0_2_00B7D22A
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8F208		0_2_00B8F208
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B9E244		0_2_00B9E244
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B92308		0_2_00B92308
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B84B09		0_2_00B84B09
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B82C8C		0_2_00B82C8C
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7DC8B		0_2_00B7DC8B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B99C3E		0_2_00B99C3E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B75C39		0_2_00B75C39
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E586		0_2_00B8E586
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B725F5		0_2_00B725F5
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8EDD3		0_2_00B8EDD3
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B73D3B		0_2_00B73D3B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7B686		0_2_00B7B686
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B826E0		0_2_00B826E0
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7CE12		0_2_00B7CE12
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B99790		0_2_00B99790
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B85F46		0_2_00B85F46

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8C630 appears 53 times
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8CFB0 appears 31 times
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8C560 appears 36 times

Source: kbdgc.exe, 00000000.00000003.1674339680.0000000005F08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamezwei.exe vs kbdgc.exe

Source: kbdgc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus27.winEXE@1/17@0/0

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6376203

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: sfxname		0_2_00B8B905
Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: sfxstime		0_2_00B8B905
Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: STARTDLG		0_2_00B8B905

Source: kbdgc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kbdgc.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zwei.exe.0.dr

Binary or memory string: select * from tbright with(nolock) where code ='frm_metalout' and empl_no =';

Source: C:\Users\user\Desktop\kbdgc.exe

File read: C:\Users\user\Desktop\kbdgc.exe

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: dxgidebug.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: kbdgc.exe

Static file information: File size 6427166 > 1048576

Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kbdgc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: kbdgc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kbdgc.exe

Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6376203

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8C560 push eax; ret		0_2_00B8C57E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8CFF6 push ecx; ret		0_2_00B8D009

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\kbdgc.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kbdgc.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B79F76 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B79F76
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B89D3B SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B89D3B

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8C07D VirtualQuery,GetSystemInfo,

0_2_00B8C07D

Source: C:\Users\user\Desktop\kbdgc.exe

API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8D1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B8D1B5

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B94444 mov eax, dword ptr fs:[00000030h]

0_2_00B94444

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B98382 GetProcessHeap,

0_2_00B98382

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B8D1B5
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D303 SetUnhandledExceptionFilter,		0_2_00B8D303
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D4BB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00B8D4BB
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B9552C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B9552C

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8D00B cpuid

0_2_00B8D00B

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00B88C23

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8B905 OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,

0_2_00B8B905

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B7A5E3 GetVersionExW,

0_2_00B7A5E3