Edit tour

Windows Analysis Report
IdeaShare Key.exe

Overview

General Information

Sample Name:	IdeaShare Key.exe
Analysis ID:	876178
MD5:	e6d42ac433331124c62460cfcced76a1
SHA1:	ea9fc583c7bd2054a8d51e61d6b1cbeee800d344
SHA256:	5faa9cd735d499eb4fbcb08a252d53020629a7418c9b6c30b00c5d2d7cc7fe25
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Compliance

Score:	16
Range:	0 - 100

Signatures

Creates a DirectInput object (often for capturing keystrokes)

EXE planting / hijacking vulnerabilities found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality to query network adapater information

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

IdeaShare Key.exe (PID: 5976 cmdline: C:\Users\user\Desktop\IdeaShare Key.exe MD5: E6D42AC433331124C62460CFCCED76A1)

IdeaShareKeyForm.exe (PID: 5948 cmdline: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe MD5: 1A8C471F9AF78F640DC43C6C2FB533C2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Cryptography

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Spreading

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,

Networking

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: k04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: IdeaShare Key.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.color.org)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00407277 InternetConnectA,HttpOpenRequestA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: IdeaShare Key.exe, 00000000.00000002.359007472.000000000083A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004044E9 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004050FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //VALUE "OriginalFilename", "IdeaShareKeyForm.exe" vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs IdeaShare Key.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004038A8 EntryPoint,GetTickCount,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,GetTickCount,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

Detected potential crypto function

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00407E74
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406EE6
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004049B5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: String function: 004062C7 appears 57 times

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\user\Desktop\IdeaShare Key.exe

Jump to behavior

Source: IdeaShare Key.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\IdeaShare Key.exe C:\Users\user\Desktop\IdeaShare Key.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/ideasharekey/qtsingleapp-ideash-193a-1-lockfile

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\IdeaShareKey

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\Temp\nsk3518.tmp

Jump to behavior

Source: classification engine

Classification label: clean9.winEXE@3/8@0/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_0040250B CoCreateInstance,

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Submission file is bigger than most known malware samples

Source: IdeaShare Key.exe

Static file information: File size 6338072 > 1048576

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011C100A push ecx; ret

PE file contains sections with non-standard names

Source: IdeaShareKeyForm.exe.0.dr	Static PE information: section name: .00cfg
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

API coverage: 7.8 %

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: wsprintfA,lstrcatA,GetAdaptersInfo,GetAdaptersInfo,StrStrIA,

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004077D3 lstrcatA,GetSystemInfo,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,QueryPerformanceFrequency,wsprintfA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,wsprintfA,

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,

Source: IdeaShare Key.exe	Binary or memory string: %d,%d,%d,%d,%d,%dkernel32.dllGetProductInfovmware%u,%u,%uc:\%d,%d,%d,%u~MHzHARDWARE\DESCRIPTION\System\CentralProcessor\0\%u,%u,%u,%u,%s
Source: IdeaShare Key.exe	Binary or memory string: vmware
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@L
Source: IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: cl.?AVQEmulationPaintEngine@@L
Source: IdeaShare Key.exe	Binary or memory string: vmCih
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CB2B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011C1415 SetUnhandledExceptionFilter,

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Queries volume information: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CB8C5 cpuid

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406820 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CBE0B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	2 DLL Search Order Hijacking	1 Process Injection	1 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 DLL Search Order Hijacking	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 DLL Search Order Hijacking	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IdeaShare Key.exe	2%	ReversingLabs
IdeaShare Key.exe	1%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.phreedom.org/md5)	0%	URL Reputation	safe
http://www.phreedom.org/md5)	0%	URL Reputation	safe
http://www.phreedom.org/md5)08:27	0%	URL Reputation	safe
http://www.color.org)	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://www.phreedom.org/md5)08:27	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	IdeaShare Key.exe	false		high
http://www.aiim.org/pdfa/ns/id/	IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	false		high
http://www.color.org)	IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	low
http://bugreports.qt.io/	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876178
Start date and time:	2023-05-26 13:01:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	IdeaShare Key.exe
Detection:	CLEAN
Classification:	clean9.winEXE@3/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 52.6%) Quality average: 39.5% Quality standard deviation: 42.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

Time	Type	Description
13:02:40	API Interceptor	1x Sleep call for process: IdeaShareKeyForm.exe modified

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	320872
Entropy (8bit):	4.939208143331431
Encrypted:	false
SSDEEP:	6144:wGXX45Tx+DPeuqD4K3FN3EiCXibivN/DHCfMiKu:HuSBMMil
MD5:	1A8C471F9AF78F640DC43C6C2FB533C2
SHA1:	8CEEC8B336A55EC150607E69F620F4EF8E009AE1
SHA-256:	284CC22997B0E20D8F30F5C7F8B2256D9756E5AFA54FE9F2C4C70485CDB4A7C3
SHA-512:	80DC736CDB80CDA2544D402627DA04E1768737D4EB682FEBBFC64B498EEAF64E110FDCF23898B08786B00A7183B1E62E460623E74BEF2D2836EFF09BADA1836E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.D. .. .. ..).....r.+."..r./.:..r...,..r.).!..E.+.$../.!..+.&..+.#.. .+.../.%....!.. ..!..(.!..Rich .*.................PE..L...d8Ca..........................................@.................................v.....@..............................................]..............h...............8...............................@............................................text...\........................... ..`.rdata..............................@..@.data...\...........................@....idata..FX.......Z..................@..@.00cfg.......p.......P..............@..@.rsrc....].......^...R..............@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5298536
Entropy (8bit):	6.852481117447856
Encrypted:	false
SSDEEP:	98304:p3QkIHj14FdDhqJsv6tWKFdu9CjzHveRnZyxEdm0:pgdnJsv6tWKFdu9CjzHeb
MD5:	4BB1FC81E4B6149749B6E84EF12712D6
SHA1:	FB0143E6EA6128D7FA7B2E1731D0232D6A40689F
SHA-256:	19BE47FA14A6F1B103171FB2B9B830F631215BB522A8803795DBB72C9E8E4A8F
SHA-512:	9505ED82E68C37717C2EA4E2107ECDED41004946ABD562A03FB92F187E4855D86CF3A319FC323492865C4D0EA8A9A5110737CB662266F360FEC7993CA84C876C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........V..8].8].8]...].8]..9\.8]A".].8]..=\.8]..<\.8]..;\.8]..<\.8]..>\.8]..9\.8].9]..8]E.<\.8]E.=\$.8]E.8\.8]E..].8]..].8]E.:\.8]Rich.8]........PE..L...2.}^...........!......'..").......%.......(....g.........................PQ......dQ...@...........................G.@...0.N.......O...............P.h.....O......PE.T....................QE......QE.@.............(.X............................text.....'.......'................. ..`.rdata....&...(...&...'.............@..@.data...\|.....O..J....N.............@....rsrc.........O......8O.............@..@.reloc........O......>O.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5978984
Entropy (8bit):	6.780270903027489
Encrypted:	false
SSDEEP:	98304:f8oNJzx4w24LwWotu+PNlwL9PmEZ23Cex:pBbUuCPwNj2C0
MD5:	D8B7393009A6743FFCFB9D3A138FC114
SHA1:	5467D025F650D80949393DAF58601B47D41A25FA
SHA-256:	48846110574CFA870918E08471A180981D934DB1AAA92B4832CC567D0630A28E
SHA-512:	1AE4580ECEE6E992501C963B9406A2A0A927CA48AB0A3E7B8FDC247EC21AA74EDA9818224D72C3088893418FE8E5044E857B347D056B77DC5D4F73F5BF0EACDA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......?.f.{...{...{...r...m...)...q...)...w...)...c...)..........y... ...z... ...v...{...<......k.............z......z...{..z......z...Rich{...........................PE..L.....}^...........!....."7..d$.....b.7......@7...............................[.......[...@..........................n=.......V.h.....Y..............$[.h.....Y......<.T.....................<.....8.<.@............@7..............................text.... 7......"7................. ..`.rdata...O ..@7..P ..&7.............@..@.data....c....W......vW.............@....rsrc.........Y......tX.............@..@.reloc.......Y......zX.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1115496
Entropy (8bit):	6.66916261306281
Encrypted:	false
SSDEEP:	24576:ZNfY4/b8d22Gmou3ZjRkjZgUPiV69DrOMxpqDc0EGQVzKa4:xAd22GrziVaSDckZ
MD5:	80D7021426B78E3E7527265841FC22A7
SHA1:	2E81B7E0F3D717F80284E3A43038997D66616042
SHA-256:	169BE38BE0BC90018DFF8EF05FE004DD04A6D0B3ABE294FC67B42466E5F2E6DD
SHA-512:	A2AF4D9ACE035C51E5CF846DB3955895422E65AE6A6D7D523493AC3AE6BC28ABA87A272BB50B16FC5FFF438723A911E31DED0EEFBDB4EFF7416D7C5E121C64CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........U.}...}...}....E..}.......}.......}.......}.......}.......}.......}..+....}...}..M~..+...7}..+....}..+.)..}...}A..}..+....}..Rich.}..........................PE..L.....}^...........!.........>.....................d.........................@......s%....@.............................Ta...=..@....0..................h....@..\|......T..........................H...@............................................text...?........................... ..`.rdata..............................@..@.data....9..........................@....rsrc........0......................@..@.reloc..\|....@......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4596072
Entropy (8bit):	6.819919859208047
Encrypted:	false
SSDEEP:	98304:O1CmFlF05UMNO1ulAjhDfTbz7quDp+bXa6gYzdkSPD1UZlH6uV75uDdHBclxooG0:Yf59iJ5i
MD5:	2EBDB8799EB13D879A57CC20894EFDFF
SHA1:	8D54AC978DBBCA41742DADFD29DE360EC7E60450
SHA-256:	0CC9C3B945B35EFAB0DBB5706ED285B0C5233E6D36B2261AAA2FB7BFCBA0CD4E
SHA-512:	E580DBFF9CA35A1DDCFD879C35229212732D4E912D0F47430DB7F7C0166FBDDA895170ADF89F4EA2D81F393A71BDB4681E812B8F7B3636C7C8A3357927AEF309
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......I\|...............eK....._u......_u......_u......_u......Vu......Vu......t..........;...t.....t......t'.......O.....t......Rich............................PE..L...;.}^...........!.....&,..........',......@,....e.........................PF.......G...@.........................0.7..#..4.?.@.....B...............F.h.....B..z....6.T.....................6.......6.@............@,..4...........................text....$,......&,................. ..`.rdata..d....@,......*,.............@..@.data........@B..h... B.............@....rsrc.........B.......B.............@..@.reloc...z....B..\|....B.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	6.1073547240575285
Encrypted:	false
SSDEEP:	768:RJiXhlJ0/q2aqiquV3aHaxGtpA510VxjqjCij9yKqTws:RJivOC9FxG4rsxjq3j9yKqss
MD5:	ABA7C077EFE89A0006FCD643A2C5EC62
SHA1:	531EB0A0941A19159921909BFE20FA47F34C0457
SHA-256:	B214C4FD356E0699900C40EBE22A757E6C6334E8C96F72791ACD27545FFC45A8
SHA-512:	1280CCF34D6B31CAAC2D5F5EAEEDB45E8D8F364E378EC79CCF63072CC40D5ADBB38016D934C8A193606FA6D00F7A7CC4C844DE4E94B06203DA6F954A19076139
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T.f.T.f.T.f.]...P.f...g.V.f...c.F.f...b.^.f...e.U.f.@.g.V.f...g.S.f.T.g..f...c.W.f...f.U.f....U.f...d.U.f.RichT.f.................PE..L.....O`...........!.....D...N.......?.......`............................................@..........................w.......\|..................................0....j..T...........................hj..@............`...............................text....C.......D.................. ..`.rdata...:...`...<...H..............@..@.data...\|...........................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\log\insit.log

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.065774219659049
Encrypted:	false
SSDEEP:	3:QvWizYQPc2XIvfYQPctTXvA:6WiRXSsTXvA
MD5:	8E2CD044125E0C173B3AAC9D12C190BB
SHA1:	1DD4E9AF27BC8DE55E1E537AFD3DEAAF4A118163
SHA-256:	CF663FEEB3397611B70272AD2D6969D1464D2E3437F371254144F6EF850FCECB
SHA-512:	F94D23D1766DD7BCBC4F55F081A717597FC607F938DF59B37A84DCB5C639871953A7B7200E8A6B2B1C14C6D85B5E08AD9A203A59731B073E25B5D3457659312A
Malicious:	false
Reputation:	low
Preview:	copy dll.start IdeaShareKeyForm.start IdeaShareKeyInstaller.end.

C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221992
Entropy (8bit):	6.832955399743319
Encrypted:	false
SSDEEP:	12288:1YCQWyni5LoUmhY4or3D8kSqjPfmK7UpOVpYAlCRegIe5ZpzNAoKu15XSxDyfEWu:SniF3z39xPePpOkaXze5ZtN4bZa0n
MD5:	2F98DC4484F115FE227246844464CD04
SHA1:	0A49DA60F63FB476B2A3CAED2A5B7BA686A7D2FA
SHA-256:	31BF06D063B23A0AD606354D7D77416AF5713CE877F6A7E7BC658DD09DB02BB2
SHA-512:	32D64143CEE92FE6CAB366493DDFFB034EA71DF2B7CE584238DEB56E54886083676A50C6FBF28E871F926081E8C8AFD72B7FEB8EF24C50E16A4C034939D5433E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..Ak...k...j...k...j..k...j..k...j..k...j..k...j..kN..j..kN..j..k...j...k..kg..kN..j...kN..j..kN.-k..kN..j..kRich..k................PE..L.....}^...........!.....\...j.......[.......p...........................................@..........................w..x...(x....... ..H...............h....0..<....9..T....................:......H:..@............p...............................text....Z.......\.................. ..`.rdata...?...p...@...`..............@..@.data....X..........................@....qtmetad............................@..P.rsrc...H.... ......................@..@.reloc..<....0......................@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999391627012608
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IdeaShare Key.exe
File size:	6338072
MD5:	e6d42ac433331124c62460cfcced76a1
SHA1:	ea9fc583c7bd2054a8d51e61d6b1cbeee800d344
SHA256:	5faa9cd735d499eb4fbcb08a252d53020629a7418c9b6c30b00c5d2d7cc7fe25
SHA512:	cfad934f060f13b9e44934a793b1d73d4e3fbcd265050bce69481f1328bc8bc170b24ae826288b0f0b708a1bf5a4ba4df36ab7988c4a0ac96e18388ecdc9d2a8
SSDEEP:	196608:8y7Weg+i1XWsTrXmiq8mC7h0YPvw8qGqhXvmhwupR+:xk/9WC05CN0YZqFhXeeY
TLSH:	0256338092EC8466FF8A057066F075A195FEBD6D0663EB0D72368905FD2A3F45F68F04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mu]..&]..&]..&..\&_..&..^&J..&]..&...&z\n&P..&z\.&\..&z\{&\..&Rich]..&........................PE..L...,..R.................x.

File Icon


Icon Hash:	181b214161331b18

Static PE Info

General

Entrypoint:	0x4038a8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x52AFF32C [Tue Dec 17 06:46:04 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a73b2531bfc838dc3d19df5285b8d0fd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/2/2021 12:37:54 AM 6/3/2022 12:37:54 AM
Subject Chain	CN=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, O=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, L=\u5317\u4eac\u5e02, S=\u5317\u4eac\u5e02, C=CN
Version:	3
Thumbprint MD5:	302F9D7469F8C3413FEEC8D8C9B808F8
Thumbprint SHA-1:	C2455B5BB7938677784BFE593CCE0E218E2AB68D
Thumbprint SHA-256:	F44AEB9493563C34D85C329C38D892C77DCC768C831AF7FB48DE773837E32AB6
Serial:	249A5D0D48B5FBE5F0138D14

Entrypoint Preview

Instruction
sub esp, 000002D8h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebx, ebx
pop esi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A2D0h
mov dword ptr [esp+14h], ebx
call dword ptr [00409090h]
mov dword ptr [esp+1Ch], eax
call dword ptr [00409034h]
push 00008001h
call dword ptr [004090B4h]
push ebx
call dword ptr [00409330h]
push 00000008h
mov dword ptr [00473EB8h], eax
call 00007F52B8CFD530h
push ebx
push 000002B4h
mov dword ptr [00473DD0h], eax
lea eax, dword ptr [esp+3Ch]
push eax
push ebx
push 0040A2CCh
call dword ptr [004091A4h]
push 0040A2B4h
push 0046BDC0h
call 00007F52B8CFD212h
call dword ptr [004090B0h]
push eax
mov edi, 004C40A0h
push edi
call 00007F52B8CFD200h
push ebx
call dword ptr [00409158h]
cmp word ptr [004C40A0h], 0022h
mov dword ptr [00473DD8h], eax
mov eax, edi
jne 00007F52B8CFAB0Ah
push 00000022h
pop esi
mov eax, 004C40A2h
push esi
push eax
call 00007F52B8CFCED8h
push eax
call dword ptr [00409270h]
mov esi, eax
mov dword ptr [esp+20h], esi
jmp 00007F52B8CFAB91h
push 00000020h
pop ebp
cmp ax, word ptr [eax]

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xada4	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf9000	0x38f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x607050	0x45c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7788	0x7800	False	0.6550455729166667	data	6.509642546823201	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2f64	0x3000	False	0.3724772135416667	data	4.571600211578863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x67ebc	0x200	False	0.21875	data	1.5987280494305565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x74000	0x85000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf9000	0x38f8	0x3a00	False	0.8774245689655172	data	7.598885730468926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xf91d8	0x2fa3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0xfc180	0x100	data	English	United States
RT_DIALOG	0xfc280	0x11c	data	English	United States
RT_DIALOG	0xfc3a0	0x60	data	English	United States
RT_GROUP_ICON	0xfc400	0x14	data	English	United States
RT_VERSION	0xfc418	0x1fc	data
RT_MANIFEST	0xfc618	0x2dd	XML 1.0 document, ASCII text, with very long lines (733), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, CloseHandle, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, GlobalHandle, GlobalReAlloc, GetSystemDefaultLCID, GetVolumeInformationA, QueryPerformanceFrequency, GlobalMemoryStatusEx, GetSystemInfo, GetModuleFileNameA, lstrcatA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, GlobalLock, MulDiv
USER32.dll	GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, GetClassInfoW, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, ScreenToClient, IsDlgButtonChecked, GetAsyncKeyState, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, SetWindowLongW
GDI32.dll	CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor, SelectObject, CreateFontIndirectW, SetBkMode, SetTextColor
SHELL32.dll	SHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteW
ADVAPI32.dll	RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegEnumValueW, RegDeleteKeyW, RegCloseKey, RegEnumKeyW, RegOpenKeyExW, RegDeleteValueW
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
ole32.dll	OleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoSizeA, VerQueryValueW, GetFileVersionInfoW, VerQueryValueA, GetFileVersionInfoA
WININET.dll	InternetReadFile, InternetConnectA, InternetOpenA, InternetCloseHandle, HttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetSetOptionA
SHLWAPI.dll	PathFindFileNameA, StrStrIA
iphlpapi.dll	GetAdaptersInfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:02:36
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\IdeaShare Key.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\IdeaShare Key.exe
Imagebase:	0x400000
File size:	6338072 bytes
MD5 hash:	E6D42AC433331124C62460CFCCED76A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: IdeaShareKeyForm.exePID: 5948, Parent PID: 5976

General

Target ID:	1
Start time:	13:02:40
Start date:	26/05/2023
Path:	C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Imagebase:	0x11c0000
File size:	320872 bytes
MD5 hash:	1A8C471F9AF78F640DC43C6C2FB533C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IdeaShare Key.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll

C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll

C:\Users\user\AppData\Local\IdeaShareKey\log\insit.log

C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
IdeaShare Key.exe