Edit tour

Windows Analysis Report
IdeaShare Key.exe

Overview

General Information

Sample Name:	IdeaShare Key.exe
Analysis ID:	876178
MD5:	e6d42ac433331124c62460cfcced76a1
SHA1:	ea9fc583c7bd2054a8d51e61d6b1cbeee800d344
SHA256:	5faa9cd735d499eb4fbcb08a252d53020629a7418c9b6c30b00c5d2d7cc7fe25
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Compliance

Score:	16
Range:	0 - 100

Signatures

Creates a DirectInput object (often for capturing keystrokes)

EXE planting / hijacking vulnerabilities found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality to query network adapater information

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

IdeaShare Key.exe (PID: 5976 cmdline: C:\Users\user\Desktop\IdeaShare Key.exe MD5: E6D42AC433331124C62460CFCCED76A1)

IdeaShareKeyForm.exe (PID: 5948 cmdline: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe MD5: 1A8C471F9AF78F640DC43C6C2FB533C2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Cryptography

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Spreading

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,	0_2_004062F9
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,	0_2_00402E3C
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CAF

Networking

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: k04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: IdeaShare Key.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.color.org)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00407277 InternetConnectA,HttpOpenRequestA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00407277

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: IdeaShare Key.exe, 00000000.00000002.359007472.000000000083A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004044E9 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044E9

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004050FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050FE

System Summary

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //VALUE "OriginalFilename", "IdeaShareKeyForm.exe" vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs IdeaShare Key.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004038A8 EntryPoint,GetTickCount,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,GetTickCount,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004038A8

Detected potential crypto function

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00407E74	0_2_00407E74
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406EE6	0_2_00406EE6
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004049B5	0_2_004049B5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: String function: 004062C7 appears 57 times

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\user\Desktop\IdeaShare Key.exe

Jump to behavior

Source: IdeaShare Key.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IdeaShare Key.exe C:\Users\user\Desktop\IdeaShare Key.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/ideasharekey/qtsingleapp-ideash-193a-1-lockfile

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\IdeaShareKey

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\Temp\nsk3518.tmp

Jump to behavior

Source: classification engine

Classification label: clean9.winEXE@3/8@0/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_0040250B CoCreateInstance,

0_2_0040250B

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

0_2_004044E9

Submission file is bigger than most known malware samples

Source: IdeaShare Key.exe

Static file information: File size 6338072 > 1048576

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011C100A push ecx; ret

1_2_011CBD99

PE file contains sections with non-standard names

Source: IdeaShareKeyForm.exe.0.dr	Static PE information: section name: .00cfg
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406320

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

API coverage: 7.8 %

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: wsprintfA,lstrcatA,GetAdaptersInfo,GetAdaptersInfo,StrStrIA,

0_2_004076C5

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004077D3 lstrcatA,GetSystemInfo,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,QueryPerformanceFrequency,wsprintfA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,wsprintfA,

0_2_004077D3

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,	0_2_004062F9
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,	0_2_00402E3C
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CAF

Source: IdeaShare Key.exe	Binary or memory string: %d,%d,%d,%d,%d,%dkernel32.dllGetProductInfovmware%u,%u,%uc:\%d,%d,%d,%u~MHzHARDWARE\DESCRIPTION\System\CentralProcessor\0\%u,%u,%u,%u,%s
Source: IdeaShare Key.exe	Binary or memory string: vmware
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@L
Source: IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: cl.?AVQEmulationPaintEngine@@L
Source: IdeaShare Key.exe	Binary or memory string: vmCih
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_011CBAD4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406320

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CB2B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_011CB2B7
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_011CBAD4
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011C1415 SetUnhandledExceptionFilter,	1_2_011C1415

Language, Device and Operating System Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
IdeaShare Key.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IdeaShare Key.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Windows Analysis Report
IdeaShare Key.exe